crimsonrat | hxxp://www[.]google[.]com

Analysis

max time kernel
310s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.google.com

Score

10^/10

crimsonrat defense_evasion discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d88-994.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	CrimsonRAT(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	CrimsonRAT(1).exe

Executes dropped EXE 6 IoCs

pid	Process
5864	CrimsonRAT.exe
5124	dlrarhsiva.exe
5936	CrimsonRAT(1).exe
4836	dlrarhsiva.exe
1208	CrimsonRAT(1).exe
1552	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
174	raw.githubusercontent.com
175	raw.githubusercontent.com
176	raw.githubusercontent.com
177	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT(1).exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133802386740162484"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT(1).exe:Zone.Identifier	firefox.exe

Runs regedit.exe 1 IoCs

pid	Process
3684	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2152	taskmgr.exe
3684	regedit.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4540	Process not Found
3792	Process not Found
892	Process not Found
4416	Process not Found
5692	Process not Found
4184	Process not Found
4076	Process not Found
5012	Process not Found
6108	Process not Found
4408	Process not Found
2652	Process not Found
5752	Process not Found
4988	Process not Found
312	Process not Found
3100	Process not Found
5376	Process not Found
3004	Process not Found
5816	Process not Found
3360	Process not Found
4524	Process not Found
1988	Process not Found
4500	Process not Found
5360	Process not Found
2736	Process not Found
4800	Process not Found
3204	Process not Found
3828	Process not Found
5272	Process not Found
4752	Process not Found
2368	Process not Found
5316	Process not Found
3696	Process not Found
5036	Process not Found
2280	Process not Found
2800	Process not Found
5732	Process not Found
4884	Process not Found
928	Process not Found
1448	Process not Found
4932	Process not Found
2324	Process not Found
5840	Process not Found
5832	Process not Found
1284	Process not Found
3940	Process not Found
3968	Process not Found
4364	Process not Found
1856	Process not Found
4224	Process not Found
5976	Process not Found
4312	Process not Found
1880	Process not Found
1532	Process not Found
1932	Process not Found
6016	Process not Found
3484	Process not Found
5700	Process not Found
2744	Process not Found
3120	Process not Found
5308	Process not Found
1968	Process not Found
2476	Process not Found
1000	Process not Found
6028	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
4684	chrome.exe
4684	chrome.exe
4684	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	firefox.exe
Token: SeDebugPrivilege	2396	firefox.exe
Token: SeDebugPrivilege	5864	CrimsonRAT.exe
Token: SeDebugPrivilege	5864	CrimsonRAT.exe
Token: SeDebugPrivilege	5864	CrimsonRAT.exe
Token: SeDebugPrivilege	5864	CrimsonRAT.exe
Token: SeDebugPrivilege	5864	CrimsonRAT.exe
Token: SeDebugPrivilege	5864	CrimsonRAT.exe
Token: SeDebugPrivilege	5864	CrimsonRAT.exe
Token: SeDebugPrivilege	5864	CrimsonRAT.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe
Token: SeShutdownPrivilege	3608	chrome.exe
Token: SeCreatePagefilePrivilege	3608	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
3608	chrome.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe
2152	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
5504	firefox.exe
3704	SystemSettingsAdminFlows.exe
3712	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2416 wrote to memory of 2396	2416	firefox.exe	82
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 4628	2396	firefox.exe	83
PID 2396 wrote to memory of 3652	2396	firefox.exe	84
PID 2396 wrote to memory of 3652	2396	firefox.exe	84
PID 2396 wrote to memory of 3652	2396	firefox.exe	84
PID 2396 wrote to memory of 3652	2396	firefox.exe	84
PID 2396 wrote to memory of 3652	2396	firefox.exe	84
PID 2396 wrote to memory of 3652	2396	firefox.exe	84
PID 2396 wrote to memory of 3652	2396	firefox.exe	84
PID 2396 wrote to memory of 3652	2396	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.google.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://www.google.com
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1956 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b94781f3-7b0d-4c9f-a3e7-18ce992cf59a} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" gpu
    3⤵
    PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0480e3af-35ac-4f97-8b48-3200446b95d7} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" socket
    3⤵
    - Checks processor information in registry
    PID:3652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3008 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdf72752-1b93-4cb9-8ad0-5a1b4497f055} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:3152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3968 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 2756 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffa10788-91b4-4770-92df-867c54271eba} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:4024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1436 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4784 -prefMapHandle 4780 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68159fb9-247b-440a-a873-a60e16b8b803} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" utility
    3⤵
    - Checks processor information in registry
    PID:3016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5292 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3135935-82e2-46aa-bec5-24dff97a1079} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af5f4a73-d20f-4251-a13f-9ec602ab68de} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e36849c-a939-4f8e-978f-0a326d1de979} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:1340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5968 -childID 6 -isForBrowser -prefsHandle 5468 -prefMapHandle 5320 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc48c1dd-469c-4552-8986-19c845c60d59} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:1000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6232 -childID 7 -isForBrowser -prefsHandle 6248 -prefMapHandle 6224 -prefsLen 33377 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a58eadd-126a-4b43-848b-25af500bd54d} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:4000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6676 -childID 8 -isForBrowser -prefsHandle 6688 -prefMapHandle 6700 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17a73f16-ea87-42de-9760-fe01c20c6cc9} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:3400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6608 -childID 9 -isForBrowser -prefsHandle 6612 -prefMapHandle 6852 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8089721d-907c-4c3d-a8cd-28eb86f5df80} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6824 -childID 10 -isForBrowser -prefsHandle 4148 -prefMapHandle 6592 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {463f0605-1025-432c-9a01-8131fae846cc} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" tab
    3⤵
    PID:6116
- - C:\Users\Admin\Downloads\CrimsonRAT.exe
    "C:\Users\Admin\Downloads\CrimsonRAT.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5864
  - - C:\ProgramData\Hdlharas\dlrarhsiva.exe
      "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
      4⤵
      Executes dropped EXE
      PID:5124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5292

C:\Users\Admin\Downloads\CrimsonRAT(1).exe
"C:\Users\Admin\Downloads\CrimsonRAT(1).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5936
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4836

C:\Users\Admin\Downloads\CrimsonRAT(1).exe
"C:\Users\Admin\Downloads\CrimsonRAT(1).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1208
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff66a1cc40,0x7fff66a1cc4c,0x7fff66a1cc58
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2044,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:6076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5216,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5192,i,4402864115107239393,9276452240251758391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5224 /prefetch:2
  2⤵
  PID:5128

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:3684

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\i know you're watching me...txt
1⤵
PID:5844

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\i know you're watching me...txt
1⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff66a1cc40,0x7fff66a1cc4c,0x7fff66a1cc58
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,9998500615651353518,15142310998488358633,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1888,i,9998500615651353518,15142310998488358633,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,9998500615651353518,15142310998488358633,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,9998500615651353518,15142310998488358633,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,9998500615651353518,15142310998488358633,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,9998500615651353518,15142310998488358633,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:5380

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2508
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 28629 -prefMapSize 244985 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2597b15a-56b2-4b25-91e4-c9ea5999782c} 5504 "\\.\pipe\gecko-crash-server-pipe.5504" gpu
    3⤵
    PID:5240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 28665 -prefMapSize 244985 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18e477c8-f743-460a-9082-b263ce7bee68} 5504 "\\.\pipe\gecko-crash-server-pipe.5504" socket
    3⤵
    PID:4692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2944 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 28806 -prefMapSize 244985 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc6a3f0c-5672-44cc-9f9b-4f74fa99a996} 5504 "\\.\pipe\gecko-crash-server-pipe.5504" tab
    3⤵
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 2 -isForBrowser -prefsHandle 3940 -prefMapHandle 3920 -prefsLen 34039 -prefMapSize 244985 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8406a4f2-c259-4392-8020-a82458be02d5} 5504 "\\.\pipe\gecko-crash-server-pipe.5504" tab
    3⤵
    PID:5748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 4800 -prefsLen 34093 -prefMapSize 244985 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ef9d784-a60b-4356-b0b7-f8eb1327a606} 5504 "\\.\pipe\gecko-crash-server-pipe.5504" utility
    3⤵
    - Checks processor information in registry
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 3 -isForBrowser -prefsHandle 5116 -prefMapHandle 5164 -prefsLen 27506 -prefMapSize 244985 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26bad42f-8a39-47e2-859e-fbb8737cc4b2} 5504 "\\.\pipe\gecko-crash-server-pipe.5504" tab
    3⤵
    PID:4264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 4 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 27506 -prefMapSize 244985 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee396ffc-9db4-4539-8fdd-7bccb2d269d2} 5504 "\\.\pipe\gecko-crash-server-pipe.5504" tab
    3⤵
    PID:4576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 27506 -prefMapSize 244985 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aac7c799-4483-41cf-bf9f-ccc78b9e45a2} 5504 "\\.\pipe\gecko-crash-server-pipe.5504" tab
    3⤵
    PID:6084

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation
1⤵
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa392d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b65d667045a646269e3eb65f457698f1

SHA1
a263ce582c0157238655530107dbec05a3475c54

SHA256
23848757826358c47263fa65d53bb5ec49286b717f7f2c9c8e83192a39e35bb6

SHA512
87f10412feee145f16f790fbbcf0353db1b0097bda352c2cd147028db69a1e98779be880e133fed17af6ed73eb615a51e5616966c8a7b7de364ec75f37c67567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6be9e5b9404b48dd95a9934721c479af

SHA1
e048440734a757dd4348aa8b920f019c75f0b91d

SHA256
31e387d694fa78147abde3001b558f0e674fd24b94b4997c8c7f7d9f21e6b811

SHA512
5fbdeebf43ef8314ebab97eefc5fa963ff4f7717cba89d29a16dfcf07b6f078063b1cf59b593f273ffb2b2c451d0d51b9eb321119cf32cab836969c864544dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
c4c60c01806bf4324e95bee5a43e4663

SHA1
7da0db9e03bfddb5d7a728549a22ab2b06485507

SHA256
1d9537fb49aed17f7eae1f00f248a45c54bf3d42f9be3ee8ca9284d9f895502a

SHA512
66ba2913752148d19ab0616192ee60f3dcdbcdb8dcee5049ab496010e24d21522fe3345bfe9029d2496596614de5247aaaba6eea2e4b01465e9d1b04efa17d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d33bc6510117581300f3005ef02ea50e

SHA1
1569f4a248c37018320ec67fffa34a1695e88a61

SHA256
d90f697b76523fb03324fddeee0cfd582dffd7af38036884a95a5204f2e50b8e

SHA512
11ba1132d502c94e7b5097cf8d53db8cf8cf46df1dfdbbbb85104f568ea1de916e004517a7e96ecce8db726a2a20a4d86c00090a2407c26d5791065aafc01b1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
a3108769364d6a8f5fa3ed6e2e321d8f

SHA1
2af50c9ba022cb5d51b679f3ec321bf0e9e2318a

SHA256
32978556e46282a213e2f6c8661bd6928fcd96fd8621d9fee799d3f45f20d01d

SHA512
c386c6ce3525859ab3ec3765f10eae884785b3e04cb82c309f4641c944562c1453892a6eb77976172d40926d454c9d917b2742e085c25007f271ad080811ef32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
42628e00e55ffdf64142b9cb4f426c29

SHA1
56c1e31576fd2c00192cc982ba95c3fcd11ea70b

SHA256
621bebaa988d24ac84a7233e57c85e2f570e6f25a2145af39bb3daefa3c2818e

SHA512
8565edf055055910b3eb8315037eadbb147628fdebecdafbb56826d977768027fbf180671b20d7a2eed3c6ddfb875bbc514f585a74cdf499f62f55a2b125d982

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_metadata\computed_hashes.json

Filesize
5KB

MD5
b60565bcc498024ac6b314bbde5fc51f

SHA1
5a56ef1f2db4075458d28a8cbfa8c2016e132d12

SHA256
2789f5c2c30836bcd23b16b56bd75e1adb34464d81a0985c7f4333d851d5d0b4

SHA512
5089f9447e4f942109fa4f6d178269ac112bd404376561b13360e4fc2dff852b592e8880fe4e239f2cad83d718ce5aa079eba5c5bbc620fcb23c3217a048a847

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_metadata\verified_contents.json

Filesize
11KB

MD5
0a68c9539a188b8bb4f9573f2f2321d6

SHA1
e0f814fa4dcc04edc6a5d39cbc1038979e88f0e5

SHA256
39e6c25d096afd156644f07586d85e37f1f7b3da9b636471e8d15ceb14db184f

SHA512
13f133c173c6622b8e1b6f86a551cbc5b0b2446b3cf96e4ae8ca2646009b99e4a360c2db3168cb94a488faebd215003dfa60d10150b7a85b5f8919900bd01ccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0

Filesize
44KB

MD5
35e7a9bf67e55aa97ef0673f4fee0666

SHA1
a14aafa0d3e95729bac3f3ca8263fc2ecc815895

SHA256
cd898e800fac1e47cfd4d6f42f1b59590f566c9aa92e17037247b033e5e2b089

SHA512
8e8e8a21835d9c3b1b33b533a882f85b3e90deaf8890f4cadedf9b9ec24c611da5dc39f94df6ed7c0d89f387ab830a19dc3699eebb9e0259e76b7e79d9826e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
17042d9cba6e1e8d195cf97e920e6ee8

SHA1
aaf67e750fbaf812c5fbb505fe9e29c781bf73c2

SHA256
416fd54c7aea627c218c3f5629cf78c6ddf648efe3c27b2b1ac2ffc483c72e84

SHA512
e69014f295af5b30961ce5ef3c011c225ea52d556091a51081f5d1f7df33662874c5f3b919c746f14deb65c1346209e0c6b505e0e9e2f1380df9ce4d38bca003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
1.0MB

MD5
fe993339a25710ebec86c051941d462c

SHA1
1a7a578b7a32bbe2102a789c2321090d406838d1

SHA256
59ce81d41051a1d16c02906cd586fcdeabbe7ee30ea7b7b1bb0970b981ffa443

SHA512
b81201876efadc61a8fb48718abb16f7f458856f2ee676db8b0da36790492ad930585c14ce200e7a9e079b8115b15e20ed95176cbfdc337b3ab732e5fe72bbd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.0MB

MD5
d6b0609c4b6edb45553ff9afbfc95e33

SHA1
2697657b75906d3653f48080ec1f3993c07bd8bf

SHA256
eb5cc165f4f69f7a3e72851b1b63e67efa9afb3c96bf8aefc962a5fdbdd6cc2e

SHA512
db4c837c9a8a30e65f0f634bcceecff3354d6b72b34536e584fafd02eb103cb4a6b01522d4463d8c54e6852d28a71d9ec8997e2f353e59ea8724aadbbc2a80ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
a4941719b3627f2800ddcd56988efbc6

SHA1
b6b7cc701a18cbcd70da1f9ddca703167242d74b

SHA256
e6c1f8050722110bd9837c1c1a892563b8e69c65e6f8c4f67540cd1a3d66972b

SHA512
c825d06d8f8f66da425f8ec897a20addab6d6dbfd1d91ad2876f604bc20d0066cff03e4b9f7e73ca426bf9f258f3e6bf318698e007111cf126782cd8264d4e4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
2003f2fc68e6de8f49ca25ffb345fb2f

SHA1
2c31e72d4e553165f703a1672eab4f5b68bfd5e1

SHA256
5a55be1532e613674b360e3db5285d5e8a571c58951f458c1f88ea54dfdb2d28

SHA512
f038290cba83edd6bd89f2d45a8cb371f4028b9450efa070ef54f749ec7a5ac7e23654207ed644674bb3060eba5783fb9c345729c644cdb3bac856a61391b3c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
d86561831da3b8058d825ea34b5f26e2

SHA1
7941484ad96425964c872f81806971bbdede3beb

SHA256
655870d5708563b0903cd193dab17792216d87d618f20281f64bb451f8f13d9a

SHA512
2dd6650bedd0e69a4d141e3495d9b5588980090a71a3cb40ef53f177fd6b47709016ec0ea5ed85f24f11dd968e051956bf587b74c468288c6e2fbaf6f12456e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7ee8bc50a4eb7a6dc5297b294d4c757e

SHA1
8f666e4fc26f58d801bec07db019ee6dc25dd8d1

SHA256
e6d0b0289828038fb97d2548af27c7976ad9087a3773da36d0ee0bd72ca2fc33

SHA512
921143af27699ea57449c17a561f930e7332aab63b6ed534df547d03b4606e96cc973a87d8ca0f76a9b86a5a31ed4a6faffdf72339b706ed02316541ff83f0f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
beec41183bf91473b4dbd92bef69ef2b

SHA1
001066528af3968623ed358839dd4c0edf7c3334

SHA256
8a91d21aaf85c9e8f9814381e1ca315ee39afa4ccae196a8745632b1d7fe5756

SHA512
8b1d995af7bc8541fe73a0bd2975624683fbb98f211266fb24e82fe370cffc8e60eb8bd27af3376833caa94e996ea11771bf68accad383be5f64d7a88d5a0f55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
6f6f8d23bcc02880e83345178e98d4f8

SHA1
4620ffe1f9c8572e4e88fc06e0546fe6b1205423

SHA256
1f177ddbbd8e8d960e6089bfa0f092cdd706e412527b8d9e91283a8b9aaf55fe

SHA512
d45d9da84d30dc1cca34a930d61d48a4df1da1d2ed6351784ba96e23448f985d490db94d471ca38c4d50f4d66f955aea4be744e21612dda2a5dd59435dfe8456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
591bdb4012328c54376baa3587e1d78c

SHA1
15cbbc1d1690d345fd447e7618603491e977955a

SHA256
92727e52e74989e2e80bea930058b9550d3ab8dd9534285c7e3ebc21becd8801

SHA512
30eb6ca642bb1f37c67d438fc83ac4ccd6424e0762ec97861419989a6314eb7b73becdf68cb2879c298de860c104db6abb9965b6154d3e91f325b683f36ec928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\eb790be6-44b9-4369-952c-ca5cd93df1de.tmp

Filesize
356B

MD5
90b1f2c84aec049e15140052e53cf254

SHA1
845b9c214f6b9db6dd708363964a75830510ab76

SHA256
25e4dd3014741e409971dedcbf21db40dc91904496e644b1a2f35017b2ac3a32

SHA512
5484b720b924e5161f80c8e3c3534a95b144dee243218da673510c7bf592da4fa46b1fb68e2534a015e7d7540da7cf9e7a4d9c36d83a849a4082c17ad53ce66b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20b28a104a80d2f37cb67a18c7493e69

SHA1
b5b379516269574bf777331eeaba7f611ae68288

SHA256
c40015d05a1a3404d6c323dbbacff30c7b4f72f8d2fdba63c1b555b772bd7aea

SHA512
565636decae152b6d478ee330d5cb44fa31d6e18be1b986468db0c1f3f0e2c244ec1eb5a40e4ca8c231bbc00e9d224db88e5c28f73815e44b1e7df7f90efa968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0100c786ec8419d80a12d1ed616616e

SHA1
cf4d1068c5e5cd707d22e7a9da0160837c6c6e3d

SHA256
dc0eeefd527be112d5b224c1d049c3fe7eebb3ba8af1c8791381d46771291164

SHA512
43280992ed224d321cb000692afc845c97673c3a147e58e503e7c5472ef621b7ce83f956cffab0ad56ddef87985bde1f97c8410f514276e3c374e397473b2e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af5a27802033dd01df357eabe07e55b5

SHA1
d452e67166dfc4804014784a1b89812de37ec668

SHA256
ca68af1483cc16b90e9d904700a033d1d3a6f7f21f6deacf809606ba55beb852

SHA512
0ee2f878d34c163ff9ef86b211c8d9b527c583514aaf8e90d71a4fa3fcd9c28ff233c34623a966b202314050f6032fc69be4b4b84e9310fac6ce6e06b89cef36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4ac365266b8eb5c9a3255c9344f8d8ed

SHA1
2757847e64104177f0227ca1e669f1653fb3cb37

SHA256
0e91e8ab5c3710bb353f0341841267b4fce4662ffd13d7abc5f9d77f42e09d4e

SHA512
a02a13d645e69dabfc534ffae742edf92235cae0dcdd0f8b8fd8a36d0e66774dcc5017810e0823ed6ea9b418f13291ca72fd8fba911b29d784d36ad7f5851142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a38e774c5ca39d0dffc6f3c43c4823e5

SHA1
9f54d700c634fd7346a796aa8cfeb208ad3a2710

SHA256
3d4c4f808c6fa08b2ebdc7dc45e13a5a7ae7e1a7ab0bc9cbf5d641dec8053150

SHA512
09b2f3e08182f84241a1aea6e179b4f524b053719ddcb659c506baa576f01912ec2a7f45922a719cc842e3d630cc43a276d65ef897522e106232397117cc3b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
498f8650676e9576896206980a5385e4

SHA1
11067c0be118436ecb64295752aee9fd4ffd9a8d

SHA256
498a0c3419f873e7413166eed3b6f220b955f68d24c634a8e2ea96e9275059cc

SHA512
1c823a5a136efcbcc42fb7eb91dde98e83ef6c1910a1399caedc02fa835cfe3c5876bb9ff951c9792e372ba0b7ea8ddf71764376e6a534d814dd651770641cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5cd341dea999cb824485c757e706c2e8

SHA1
b132ca892fcb805c6a3e35a4b87fd9be6301c41e

SHA256
b3443938404d5169ae0e24ce5c1bf3d891fc2c69a78374d95d8f683392bfff37

SHA512
3eb8c78cc92f355e73833e155b8ce41182f06d6a645af47b389903171cca02435467b14ed7f270aa590b9dd5dbf0009b4096c84151492545f82a3960064412d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
145d5638529bd9967a03ef2b495a93d9

SHA1
65edd3c585f7be94e9fc6873d73305663f524407

SHA256
123d724333106dd4efd1ea7f1eba0c82756e209fa8cbcb3d713a160701426028

SHA512
cb793bb3fc1a74f2670264f6d2e4191daa833e926e7d778cb405134804216b77e66cd912e596c8eb857cf1f20003f607b2cf012d7d0186a2d32f6f80bd6b57f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f55d39b3758d0fc2495986b2a565633d

SHA1
a0c5c1a80b360955def379e8c12a48923ad8e9ff

SHA256
04286a5164a7c3c68b0b28038ccd08ffc821a743f84867f9e0360a5ff6c263c4

SHA512
d16a90143cb505fdab472463eb882180131b07e27151c808cc9c06d9eb0c97cbec3dbce48c29d3d92bf5714e1c873dd4dc6d0f68cac25077a4692c48740e253a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cf5c4d5d6149dd8d6d5c802347643b85

SHA1
29a440ec8ed78cf25e43bb5553ced999a65b585a

SHA256
56264444e6d417c377363b5239bf565d2ec25f3381c497e6a0be49914a8d9465

SHA512
be3986dca4193c08674221153ef2d49ad798afab44b95de021fc4444041cef1591fc98c05d7d31c9a8cb513b7a9817fe0be92a9df521bd40e8d6aaddeaa32215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
3KB

MD5
b8736574974be263e389b9036c71567c

SHA1
4037a0d18343253635574ad8a3794bc9ec63a6d7

SHA256
a211e786655585ae43098cd0e0823127eb7c1bc1500db7c7e950559200904b04

SHA512
556590b8c7b22e416a268bb9d9a0c5786bd02b26973d0fdb667591a227e25767762800a56363435eb4ce2928975cda6ecd3f93bb1e6492781dba3b9f50eab9ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
df327a33492566e9dc4bd39a985e4aa6

SHA1
06db86f0506dae11a4edff96d9ccb144068405a8

SHA256
e07aaaedefd0c8c14646c5f6b6bb90fe52937f183c074828cedbdebf5f9296c6

SHA512
b2e5ea0b3dee1cbb9180a08fd41dea968e84d13b40e8b9a292a33b439408d64f59a8b825e78bc153e031fe263e8d292f43e054304b9adaeed5770aa7605b4caa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a9b13c7e54f4315e69a6644f4adca9e8

SHA1
cbedd3387d2dbdf33abcd0454cb07aad24cc8acc

SHA256
1617504682ddbe2e74f0cd89518b1b8289fb07ead934a56562bdd7b08f391f9b

SHA512
71bda89ac0fdb3ec03e5bf28498a598b1b46bebd4aebf4ec38dd4d5058afe7724cdf304049e8cb5e7bf9d96b6c9f59f5d2551fdfe8d743aea4801bc47192b218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
908b011e401921147bc461ea5918a994

SHA1
538d2d1034ead9f11ed3d5c7160fff8e76f2daf1

SHA256
95a515dd80bd18d652dd04fd765c17e38e19f38bce824a1c2cd7ef8a0ad57715

SHA512
ede6b1755e5de4b25f20b278c5146f9a80f9411d999d1af901cfa2fa8e3e1cb19d16535deba9c4189e14e73c3fdd95be9cbeaa80736295374c02b001bee38c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
7b3d8443babba21a3b9efae50d0fba86

SHA1
b33c50a14b3e0c5c30ba5472fb985d5998afc39a

SHA256
ad67ca733eb4b7ab1afa1bcba6fe7594cc6528f7c53876537f4a5c1ece46ac5e

SHA512
993fabde173eea7a52466a5abb2220f194e563bff04a6e2c00ed5d689aa4d818391b974b4ae915b1730943e5a2ca4b3741707f368ccc501fe32b7d73d5e28f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager

Filesize
40KB

MD5
9d04f7ab100f430428c889becb5f59e5

SHA1
c1d2cb4e77c1db3f4d1dba6618a09fa27458cb1a

SHA256
e01f486d7b38906d3f213f72924bfeaf75fe2190e6d307a5aafb3d17e9257756

SHA512
5f50aae77daf5a329441a189bb7a7d7c196799f9e01462e90a33a2ac4ad7f8e36be3246d63446b49ea285cc100a98cd9c446f82fe3467ba010d11ad7048f6693

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
8KB

MD5
92cbe0576d38023d92f33892e729eea9

SHA1
3d15889c238680e8668237d684a7c68f086ced24

SHA256
75d521498ab20fa4c78c5d2961574f8201a41911dbec2be00b62b0ce92d109ff

SHA512
28aadf6500a15e7902428ab00b3c5ee262ad00ae9703dad2f9efe5f1049591d0708ad1b4d5f79c32070c4d30afa80a417b5437242520b323e18b2e4b96cd0c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f50f5fca-3b8d-46b5-a95b-7f8162ffe83f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
8a8d7fdd2094f30aca7b04ac0c4f0ab5

SHA1
181f6bfc4056953b7006ff9458ca3c5dc7f5048f

SHA256
935cce3971321b69d9db8a600aee830dc01629e22ab59e652c5c4d6677f27134

SHA512
41b468554d238c7804a3c8c72c63ed58c76ec2478ad813064e396f90e126480c19efe177eda5f9f2b2426b0817d2ce9f98ce212c96ee0f0fc067129e4da8e54a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
afe809e6dc3ab8bda8c0ed9a67751095

SHA1
18fb98ac29e934cdbf0d65e27fe785cd932fb4d2

SHA256
3a1e6bcc2a898adf37e47ea07312a37aeb8680be455c89c3913e4cc71a896856

SHA512
f3bb40f4a1b348abd8a5f3e33ff4bab9f205c33589a1719bb052916231532ec8539c688f5ec362397245927ae498a1e708c32b64bc9f95210ffa578f68c2dfe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
119KB

MD5
f0ff4a044e708eccfc95b27964385120

SHA1
49e5bd8dda8bce642f523ae531207e6bfa182b03

SHA256
705193ea8ab401628ccba9ee4f4fd4e23cda7a8364fe0223a89a6a84c58d5c66

SHA512
175230e623698a79152cb216be0470b32fb237a7a70a787323768b32a4b250eaaa7bf324379d17aa6d44470b811344be896d454c3275fba0bb4e2122db495456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
14d0efba962e3d24ee4cb56562a5971a

SHA1
f4c52d3a76bf73a3895b6d5b2fc5b7cc7e306b08

SHA256
6bab9cae33191cdbd9aa4cdaa34797071d9b87a61f030959d8cecdfb8f0501c9

SHA512
88bb12e55d90bedae919b5c0f2827a801ec8c35b874f877c758ff74f72ee1119b14120ecee68c0c9d6e57bfe35a1f75fb143078df7e9d1eda391aa90ce2f7484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
c597b5320d97ca3057fa7e5ce53e6d99

SHA1
3ccb59086776fc05ba10f1b6379471454d1771f2

SHA256
29db5a15093a896107f56f4938417b85cfdeb6b77259cfd46a1387c051fdf58c

SHA512
b07566221e5c02818e54ef6f9f5952bf382dbd29778fbcf6a4f084659b5e0be9076a1d8913ef0c12db74f7be9316843764db5efe9e0c135787c7de6bcc8cd5b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT(1).exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
a00e8719d30d7819edabe3611ef43805

SHA1
c4331d8ad69f18db8cc94d905c185479d7ac83fe

SHA256
04f8a330263d0b62e6af9c11d2928ec57079ced82746b5259221c330010e7c92

SHA512
e8b3e7bd1b506ec67635fd7f22ba19a41d956cc5c1c420a0715016ed69f73ef2317420f63fdc64ceb46629d38834b40c406ac3c12c92f9d45a0bc2c3547bd41d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
a10d6a26c7bc3ab9203441a153581aed

SHA1
07fa39823a1eebfab899d1e4a93a2e2c6a3bf12f

SHA256
45f56aebe8fb2e0e579a40bd786abaed07a754d9523b6f778b5f47e5f7e5a326

SHA512
72b238cdcff8705a1608a4fb964c3d50ec1e50a1789defee7e4e21af59d157e541212179ccbacfc436aefbf1d8d7d1e5e6b7e001a0b270d0550a43bbeb4a935b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3608_1855209139\360488c6-a559-4195-902b-e32f0ef7f343.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3608_1855209139\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
8KB

MD5
e1fbaf3e88df64e4dfd88f429b480f44

SHA1
5865533e6c32106fa72cfeb47f73d3c7778f66f6

SHA256
6242a779c8d051852f34a70e3dda180b8537653ba6c9149f32035ae1bcbf3104

SHA512
67cec82a943b06250ae28df3c7a42d1b97c7ff39fa8300d259f1bf2817d4c7c07aa7fee6644339bfae763ce0395e48e019468a4a91bbe4af56e502bc7095273d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
17KB

MD5
a39995d2d2fec2e56e28f744aea53696

SHA1
78b95de7a91cf649a15de3a4a303b05a8e3d50af

SHA256
305559873f242ed34cbeb1b57bf236970bd8a9a061c543dd26b1c8697e6bd2ab

SHA512
6b2d20e31e9f82e08bf066913ec4f6509b137c4f2361700d942c4840e749f6c266ac3daa49f595259c1dde679c2347892d1dc587a7155b8a43b53be5b292f957

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
de27e7b0f2de772bebc8ba07dec876bf

SHA1
ddb3fea046f36cbf1cb6dd3401b268789f15bae0

SHA256
f82bd5a604e33c7f9416cecee1d2b0c881cdaba1b3823afca073bf45088e1ede

SHA512
b5f816d8e7b9b8d324da608a81bfae80047e93a3d2fe0c9567a29c0293bf253d2b971660658f27e2a6799a05a8f09f09cb9916ed6683688472a38f8b95132689

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
1a7b99e9a705b962f0abb3a9d97ea1c5

SHA1
1b1b4928d2ef772521b775606b114ddbc24c6b39

SHA256
da1e111b8944cb6bf3b36d34e8097010812ed5b90181681886b563084e31e10e

SHA512
9568aa7243c9b2dba11664ff0f4714f21f0a2ae6f7c01eabf6c25cbe6d4541b39bd7e5d5de0e1e87ae3e0067f974a97a779e1dad7f4ca7c18b8aff9d562bf9fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f7f401d700d07f84fb83fea519bd12bf

SHA1
a9e2a5e26630bb742b7b149b4592f2434f6218e5

SHA256
ab8de4b9214ec8277565314f7ff38569f6184993a5b7b7fb03111f0b82fa9b8f

SHA512
c94282379e3a7798de5bfc842a86cba5b6b97bc83efbc8fed4416a463743a1d889b7362f66aa495f12c77dfc8d01c13d3a38a09f8b77d0b690c188438c45e2c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
7255ecce8c6078574daada7a7319b64a

SHA1
587c35242ed78b3e39b098e9c2e29861b57f0e4c

SHA256
3c49ae42cde471c6147c6720d2ce5dd0b3d8bd5ffb798361644eb9e047ea6778

SHA512
84252cafb6b993ae5f97627405f67297ff26cf985284f7520d825c34cabbf2f598dea2c4ff698fd38a34b0d9cc45ab84ee79df0a96824995c80e21498903c120

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
66KB

MD5
e6a0cb0808ad17c08ab0575df5e8e2f1

SHA1
7482a7cc11cfbd3c054fcf0a4ac5bf901303f23b

SHA256
0b067fc2432f165c3dc0456271b530935bc8c0e8febcef23ea98e198e476139d

SHA512
9da4f198fd3f9e3c3f2bd04c670568a72426686df937319d060ac5ecf4ea21adea3ea5661520e8594aa558c090a53e0cfd835fefa490762a39a5459e89770480

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
66KB

MD5
cff5efae91bc4899bcaecfa9889cd440

SHA1
d9d2e371664acb87e899401212780f9657aa51d5

SHA256
d2ec5d866160d3081f044930e3de9f4d58ebb8a93656253621456a91de5bd11b

SHA512
cc14ad8ed7042dbe443974b0d0c22616bd5a7438a81c707f2862b4a4049ba5a6f6ca37d4d64ed8aa4c69484e465e10a8141383dbe6c3ef79a7f9cb614e44a22e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
67KB

MD5
cc1dd4b4f0bf2add30923e7c381f74b2

SHA1
9f2349b64565e4dbacbbc3343963c960befe7b96

SHA256
fa48e5544c16ebb328999beeef61deeb50e82aa0afc6acc3c4aadd2efbeb1386

SHA512
7f4702d6ced8e16cb4de0e0fadf7261b12c7a7c673d43c8997414b970c18c1bcf50a7b89607fda01f759285c188816f80875a1020c9274b58ec0b24715e5fa2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\163f346a-77a4-4149-86c5-50816b1237dd

Filesize
982B

MD5
427b5b262b57bb0070a70becd5d1a517

SHA1
d13f1a6ece1caebea6008f29706188c167ac2979

SHA256
b7bbc94f67d0898e460284669a2bc1f6a0140b7d98a46126cb2c773149b45cb9

SHA512
3a9080c62173188accb49939e2e30b3f1acd16a38de931debeafd4c72411a26ce57a7d43c88591f447a6a262f4dce63d445a88cbc5d4362283fb73a6c6ef6de0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\1ef128d8-b736-4d5f-af60-5e0f939a7eac

Filesize
11KB

MD5
db9314b066c2397357f0fecbfc6afc99

SHA1
39b6158e84c498ca9e223073504e7a4c70d5bc8e

SHA256
ffaf503758607ce23265c746888e04e9d9fb2aa54f3fa13203f65679d71d2f70

SHA512
00eb096f834d35b3d2f708ba6f382563394137885299303ffd1bb8f37aed6c704f2b6a68e5e3e2309413e7c54fb6f65c485b34d5ac4e6208e4d32408886d7d71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\396bc05e-43ca-419a-9dc7-c40201363e1c

Filesize
735B

MD5
0d02af216189ab9ac95e02ec9e982e54

SHA1
cd42e72a7f864ff801c60503f43d9fd5bee80ba3

SHA256
6b9a9ebea68c085c9069ee9736ad05baad616cd3dab75549ca27cd927598327e

SHA512
ab422e05f0f1200e2279f08692d467a804f623d159a6e8c9aba9fe246be1bf27daab4b18d364c28a5b4de876bc451d0a1b8abed961e69fe662133ed7791a56de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\6b83d6e6-1fe7-4634-a065-7c3fc4b87ed1

Filesize
26KB

MD5
3bf78b735c74112a76815e6bad7e3f1f

SHA1
9d45e499767672c335558b3319393999a86d3c61

SHA256
afe474a49506b4d6c3487306489b3895260dd33af4328c51b7f68e33f598ad56

SHA512
febd9e09fd0c7a7b551eac58313485d4ad60cec5e2a0f8290ab123c8d6e96cecf5dd00fcb2e6455a1033996a6191981983045fd69e271ce45d09687d1fc7100b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\77e5da17-97f3-4900-b5d1-00aa18ded064

Filesize
671B

MD5
4446ad40c56d9c960bdeccec82e48491

SHA1
04019839085783eab6287a82f8752b234940afeb

SHA256
394a834ec7b03f779a48f199ad0c7547309b51cd89370a060b9eea0b9d318879

SHA512
af0f4ea1c5c7452f0e5f101f1a97f0966701375fb6f04b6b8061db76de104f21a3c2b5a9a38fa72fb2ecb4aeecc8f0986a5e30711120b64d838584ae33abcadb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\8d94d1fd-763c-46f6-a229-d23c0f9ac340

Filesize
2KB

MD5
71257949110c7adc7f4d2df1d462bd02

SHA1
2a4d04eb20a366661141cacab53213dd8209112f

SHA256
d9386a80655d26842fc3abfee01a9dee9048b120fa03a110de40bf1a83c4b5a4

SHA512
5d03aaa73227ec7c69e54659cf9d868e679ee7581e389b22703ba15d3d35a2d72b606e8a4d291b49a3021a2ff27655d9f30b6cd18d6cbfebb2c19f83f1f08b90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\f3a53568-4e1d-42da-b9e5-409202e0468c

Filesize
1KB

MD5
310101d950d775898eda34cf1a8f9bd0

SHA1
3599b6e7ce9758236a1383efccdaf07314fc2689

SHA256
04dad23d7753f815cdbdbf8e37a432a3dd6bfadb88e53a24889daf09d92dcc38

SHA512
cbab60ec8a1fd06f5087ba6a72c50f52f627a797761f61595912a6edb62909ec143aae9c348d61bed7dbe60ad6309a2c8fc78e6a9bc9832c4d3f4ba4f35bc5b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
10KB

MD5
541018aaf7785e2141c5b731ee018831

SHA1
7c473d1a0fe5941e761f77dcdeb475f446fd85b8

SHA256
55f33ce4191e7493e527fda557b0400cd26a1daa8a746e16a54ceeb9d4576384

SHA512
742b360f7d367cab1e3be0320bd539c14e091e7bb17c2fe8766de856b4eb0d8b40acb7fe7b38fec83d46f82523c9780de9226b4426725cc2faf6ed9d1080607e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
11KB

MD5
47a22eaf5704c61d8888afb887ca6b27

SHA1
c58f637c20c2e7725d17f84ff791594c1be531e4

SHA256
fc74abf264119af179bf4d1e26ee56720ee866bf14b57796a0e353214725fd7c

SHA512
e150f58399e53bb39bcb260e5a397e589f05309c5bb0603244131063a1db18045b59ec27b938382e7c92aba7e8f98a30b576c1372a32bfeabf211ef096b5d733

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
11KB

MD5
2e2149f4177b257881d9d22c48818851

SHA1
e14db9f58525bb2eb6889323d9a21ba190443c3b

SHA256
56da57332ce47a4538eb83fd79dbfe65af8647073ea3d54995bfe06505936218

SHA512
8cac9d01ea24626fea70791b3e83353407d04eae13e6d21a4db51b955e4bd450dff412f5cc4fa758142544ee2f43d50dc9989437df8d7ede1d72fe2b85aa363d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
11KB

MD5
e64558c31a3202dfaabc530a5a17b288

SHA1
86422f68cce45af8fc996b886f1187b6529fa1c7

SHA256
982ff6e6545034b506dea38a78a7beb7a7acefab6e631acea6264998e500b360

SHA512
4bb5cccacf0026b9ff7e5a1f6ae352c9cbbc86bf713173de0d0c5fdd8d61dab6351398a60fdfb9337dc393d82bd0915bea02d91948c648497d70cd0de688c56b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
10KB

MD5
2666ae2e27def3017fa73fe0c8b26ffc

SHA1
bdfbf3299949a18f1a28125a5145aa0b55e2496b

SHA256
131ff993b0bca53d555846a64583fa4dbcfce73e6b6bf39c4d91206add8d0388

SHA512
1bb68070715158193c8bbd9e4856b8e5e171a3b5eb845d53077428617949d6ddd2aed7d7a878f90c0bb0e7153b67338ad13c783f5c8742cfd549de3ed6c81588

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
10KB

MD5
9783d2cdab904757d1ca16cd2209e1d6

SHA1
57661c3395ff68d7d95dc91e8faffc287dac8571

SHA256
a2e74ccf0749888947a4301a2483765389703196c79045f37a04100d8d150c77

SHA512
fefad21e419109fa5f735e7bdfb12319fb0534b562e90ba44f51aa145f01afa514d0e32f1d78be52e5594d2f73acde1702d88ec45578b6e48654ff5c777ad0ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
eefc6783d4ded75f23e2313f4372a49d

SHA1
c9585334f8c8fb5cc600d91900ce951177a10f7c

SHA256
763e53467eec3de4039c78b085720fd4dd35f9399a160b3255c360af05a683f7

SHA512
76c2f3d4e32ee3a737030ed33b0eb6f7fdd66fae399b12ec651e5ddad5c6c1dc8bcd92bcb0ea3e82f4c3b0e9b4d49cb659fd65d65a69513d18ce47a5ea1d688a

Download Submit
C:\Users\Admin\Desktop\i know you're watching me...txt

Filesize
71B

MD5
cad41ca5e9f241924607cc0cc824a7a8

SHA1
b9790965ec933537904a79d9571f387a8c434be5

SHA256
12fa0ae537bed0012ae8f41219b0122ef5445e541ee585fa5701d12081ac92fd

SHA512
cca40fedf6536485ec96bd3eb3e9561b6c4ec59308b5d73a1e26403dc7436faa6eaf450dfbf331a04a17143bdba415b86ffb750b3d2ff915d3998e320df572d2

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/2152-1599-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1593-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1597-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1598-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1600-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1601-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1602-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1603-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1592-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/2152-1591-0x0000022D2AFB0000-0x0000022D2AFB1000-memory.dmp

Filesize
4KB

Download
memory/5124-1615-0x00007FFF627B0000-0x00007FFF63271000-memory.dmp

Filesize
10.8MB

Download
memory/5124-1125-0x00007FFF627B0000-0x00007FFF63271000-memory.dmp

Filesize
10.8MB

Download
memory/5124-1010-0x00007FFF627B0000-0x00007FFF63271000-memory.dmp

Filesize
10.8MB

Download
memory/5124-1008-0x000002591D4C0000-0x000002591DDD4000-memory.dmp

Filesize
9.1MB

Download
memory/5124-1007-0x00007FFF627B0000-0x00007FFF63271000-memory.dmp

Filesize
10.8MB

Download
memory/5864-1012-0x00007FFF627B0000-0x00007FFF63271000-memory.dmp

Filesize
10.8MB

Download
memory/5864-943-0x00007FFF627B0000-0x00007FFF63271000-memory.dmp

Filesize
10.8MB

Download
memory/5864-942-0x0000019DBEF00000-0x0000019DBEF1E000-memory.dmp

Filesize
120KB

Download
memory/5864-941-0x00007FFF627B3000-0x00007FFF627B5000-memory.dmp

Filesize
8KB

Download