Analysis
-
max time kernel
138s -
max time network
164s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
30/03/2025, 20:05
Static task
static1
Behavioral task
behavioral1
Sample
v.exe
Resource
win10ltsc2021-20250314-en
General
-
Target
v.exe
-
Size
844KB
-
MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d
-
SHA1
1751d9389adb1e7187afa4938a3559e58739dce6
-
SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
-
SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
SSDEEP
12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/3144-1486-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Chimera family
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000002832c-1228.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Renames multiple (1609) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file 5 IoCs
flow pid Process 203 3236 firefox.exe 203 3236 firefox.exe 203 3236 firefox.exe 203 3236 firefox.exe 203 3236 firefox.exe -
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral1/files/0x000700000002831a-1140.dat office_macro_on_action -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\Control Panel\International\Geo\Nation VanToM-Rat.bat -
Executes dropped EXE 9 IoCs
pid Process 984 CrimsonRAT.exe 1180 dlrarhsiva.exe 1808 VanToM-Rat.bat 1972 Server.exe 5992 AgentTesla.exe 3144 HawkEye.exe 2728 butterflyondesktop.exe 2284 butterflyondesktop.tmp 2688 ButterflyOnDesktop.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat" VanToM-Rat.bat Set value (str) \REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini HawkEye.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 202 raw.githubusercontent.com 203 raw.githubusercontent.com 204 raw.githubusercontent.com 205 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 242 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql90.xsl HawkEye.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_unshare_18.svg HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt HawkEye.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-N5DKI.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl HawkEye.exe File created C:\Program Files\Microsoft Office\root\vreg\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\ui-strings.js HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\ui-strings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\ui-strings.js HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\PlayStore_icon.svg HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_organize_18.svg HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_18.svg HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\acrobat_pdf.svg HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-hover_32.svg HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf HawkEye.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\rt.jar HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_hover_18.svg HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\ui-strings.js HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt HawkEye.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html HawkEye.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp msedge.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentTesla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe -
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2067557190-3677960511-2209622391-1000_Classes\Local Settings firefox.exe -
NTFS ADS 9 IoCs
description ioc Process File created C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CobaltStrike.doc:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA VanToM-Rat.bat File created C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\NetWire.doc:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2900 v.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 984 CrimsonRAT.exe Token: SeDebugPrivilege 984 CrimsonRAT.exe Token: SeDebugPrivilege 984 CrimsonRAT.exe Token: SeDebugPrivilege 984 CrimsonRAT.exe Token: SeDebugPrivilege 984 CrimsonRAT.exe Token: SeDebugPrivilege 984 CrimsonRAT.exe Token: SeDebugPrivilege 984 CrimsonRAT.exe Token: SeDebugPrivilege 984 CrimsonRAT.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3144 HawkEye.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 2284 butterflyondesktop.tmp Token: SeDebugPrivilege 4332 msedge.exe Token: SeDebugPrivilege 4332 msedge.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 1808 VanToM-Rat.bat 1972 Server.exe 2284 butterflyondesktop.tmp 2688 ButterflyOnDesktop.exe 4332 msedge.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 2688 ButterflyOnDesktop.exe -
Suspicious use of SetWindowsHookEx 32 IoCs
pid Process 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 1808 VanToM-Rat.bat 1972 Server.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 5992 AgentTesla.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3608 wrote to memory of 3236 3608 firefox.exe 85 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 5000 3236 firefox.exe 86 PID 3236 wrote to memory of 4788 3236 firefox.exe 87 PID 3236 wrote to memory of 4788 3236 firefox.exe 87 PID 3236 wrote to memory of 4788 3236 firefox.exe 87 PID 3236 wrote to memory of 4788 3236 firefox.exe 87 PID 3236 wrote to memory of 4788 3236 firefox.exe 87 PID 3236 wrote to memory of 4788 3236 firefox.exe 87 PID 3236 wrote to memory of 4788 3236 firefox.exe 87 PID 3236 wrote to memory of 4788 3236 firefox.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\v.exe"C:\Users\Admin\AppData\Local\Temp\v.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2900
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Downloads MZ/PE file
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27101 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2068 -initialChannelId {c34dcdf1-1798-4214-ac94-95c30843c01b} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu3⤵PID:5000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2432 -prefsLen 27137 -prefMapHandle 2436 -prefMapSize 270279 -ipcHandle 2444 -initialChannelId {567947de-515a-428c-88b4-133a7df36a8d} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket3⤵PID:4788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3824 -prefsLen 27277 -prefMapHandle 3828 -prefMapSize 270279 -jsInitHandle 3832 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3840 -initialChannelId {ca999e3f-c099-4180-b7b6-405862c3ef87} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab3⤵
- Checks processor information in registry
PID:5016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3828 -prefsLen 27277 -prefMapHandle 3824 -prefMapSize 270279 -ipcHandle 4056 -initialChannelId {3a02c358-292a-4a7e-a5cf-3851144915ad} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd3⤵PID:1076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4488 -prefsLen 34776 -prefMapHandle 4492 -prefMapSize 270279 -jsInitHandle 4496 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4504 -initialChannelId {1da74517-5d38-4182-a308-8f7a1f84a23e} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab3⤵
- Checks processor information in registry
PID:1544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5108 -prefsLen 35013 -prefMapHandle 5028 -prefMapSize 270279 -ipcHandle 5116 -initialChannelId {381ddf78-cc2e-43fd-a1d1-f917c5a7c629} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility3⤵
- Checks processor information in registry
PID:3268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5404 -prefsLen 32952 -prefMapHandle 5408 -prefMapSize 270279 -jsInitHandle 5412 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5424 -initialChannelId {f5bfa71e-eb5f-4895-a5a3-e38fe1b35178} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab3⤵
- Checks processor information in registry
PID:5688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5612 -prefsLen 32952 -prefMapHandle 5616 -prefMapSize 270279 -jsInitHandle 5620 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5628 -initialChannelId {6342a643-38b7-48d9-962e-c89c3f848660} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab3⤵
- Checks processor information in registry
PID:3696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5800 -prefsLen 32952 -prefMapHandle 5804 -prefMapSize 270279 -jsInitHandle 5808 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5816 -initialChannelId {fd9d9706-5302-400b-b9da-be64c7f13917} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab3⤵
- Checks processor information in registry
PID:1368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6380 -prefsLen 33071 -prefMapHandle 6384 -prefMapSize 270279 -jsInitHandle 6388 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6396 -initialChannelId {b16c5dd0-c643-4236-83b4-061dabdedc16} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab3⤵
- Checks processor information in registry
PID:552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6768 -prefsLen 33071 -prefMapHandle 4440 -prefMapSize 270279 -jsInitHandle 4408 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4416 -initialChannelId {05b50521-3600-4cd0-9833-3589032b8a09} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab3⤵
- Checks processor information in registry
PID:6112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7196 -prefsLen 36073 -prefMapHandle 4888 -prefMapSize 270279 -jsInitHandle 6932 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2976 -initialChannelId {71b025ef-44d4-4539-a0d2-4b1e7b3ec75f} -parentPid 3236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab3⤵
- Checks processor information in registry
PID:3780
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:984 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"4⤵
- Executes dropped EXE
PID:1180
-
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5992
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"3⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3144 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"4⤵PID:7056
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7056 CREDAT:17410 /prefetch:25⤵PID:1496
-
-
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\is-IKVOU.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-IKVOU.tmp\butterflyondesktop.tmp" /SL5="$40218,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2284 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html5⤵PID:4936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html6⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x260,0x264,0x268,0x25c,0x308,0x7fff0594f208,0x7fff0594f214,0x7fff0594f2207⤵PID:3796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1764,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=2644 /prefetch:37⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2604,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:27⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1900,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=2652 /prefetch:87⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3408,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:17⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3416,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:17⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5076,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=5060 /prefetch:17⤵PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5260,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:17⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5412,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:17⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5460,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:17⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5740,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:87⤵PID:6216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5768,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:87⤵PID:6224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6060,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:87⤵PID:6296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7076,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:87⤵PID:7080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7076,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:87⤵PID:6280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5292,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:87⤵PID:6664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7108,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=7152 /prefetch:87⤵PID:6524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6932,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:87⤵PID:6432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=6704 /prefetch:87⤵PID:6696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,15705434913922842298,4691513995575212060,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:87⤵PID:6680
-
-
-
-
-
-
-
C:\Users\Admin\Downloads\VanToM-Rat.bat"C:\Users\Admin\Downloads\VanToM-Rat.bat"1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\VanToM-Rat.bat1⤵PID:1984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe1⤵PID:3800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c1⤵PID:3820
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:6712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:920
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD55b7750147b80d414c9d698f49c8cfd3f
SHA1a96f31a81ab6e10409f439b03d99810ed59d2589
SHA256ad7c64048e38e10dc4c139777f520b0946162d82ab06e8b28bf5a499c82eabde
SHA512e2233c5b2f447c9fb5098e9c7c76d6f2534c117d42e9645a7d6cd372af27abb3d721f56600c8278a6bb123df98ce5bc0140f1f75d2b4343240a8b4ea1d9a7232
-
Filesize
6.8MB
MD502f4b835b5c8ae04ad2008ada59c342b
SHA16c7cb07537bdbdd3123aefddb2401fab46e8419c
SHA25646bbffc340122424c03267b1ca21ba7a854a0805e4530bccb5f534aaaaa29ca3
SHA512622b295c066ec71ec306840d53c27d614c7538e7fe0119fa3e085b49fad3b4843a5a83f44a4634806cdca2d2698626f27b1beb5dbb51615cee878e55f5d28d70
-
Filesize
2KB
MD583f6bd06df157cd7bfa77005194b93a9
SHA1b684554519819672d306167e20fb06aff3411e0b
SHA25648eb90b58f7e40005168dc57afa3fb08ee0234f50f7b48091d7f89d2c9e08a1d
SHA5125027eb36fbb28f6f3f78f414e4cc83b10241972ebda48ee2a7d46f109134a1198a3eb287f67296975a994e8e960c425e40c5cae959e1a7562a10b1361875b36f
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
4KB
MD5b1a9ec5eb92815d9dcdeda41281fb49c
SHA1403f8a9fef1d63eaf2239c81479bc01fc03a671e
SHA256748e64a0c8f23ea23481e9a5445b7a1e0e606548436a6643fc278905b23020e1
SHA51216adc56aba0f9e704cb2cfea984e90a747e894c6c658861e65b5910ae337dda27433d440c1144909a5f2bb848bb38196b11db3c07f0ca1e8d3b569d34cc24be1
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
57KB
MD51d257604bc65430f42f73810580d23fe
SHA1430e3b4caa6adc8dd57d22ad1ef334a31e9db968
SHA256a5ecfae73680a701b1ae55eb6a62c915d37fd0f8efa6ca6670ef6a7f24c8261a
SHA5122cc66fd93f08a605714b5cef35a3737f50aa385579b70a97ddb28c7771e14a67871fbfda3982920bc0f8829d8f8a35220c580e30c674926dc9cf36f3347aa5d8
-
Filesize
280B
MD50a33713f4320be61de2679c1a601e60e
SHA1a0b7dea51f371e0a7766cdcc6463c7ee9509c94e
SHA256c2bb2ec86ba57e4a72b66cc3d6bfae3337b86514f71e55833e987783f704193f
SHA5123326c7e4df151133806d285d4d43da08d2d9cc6bc15d9645f25b31f127edf0d32af03f3d236622a56e573e7ead2a158a40813d6156e5f375413d808a248972e0
-
Filesize
19KB
MD5f38c8b606cb650373b1c566449a7e659
SHA12c8ba870c882aabb5da60d168192eecb56b1785e
SHA2569b6222ff794fd12f3b7b26354f77669bfd5c9481e91f044ca43a7ad0055ad699
SHA512e5ca5c9e341c2eafa8f0fdbb57a0c0b78778173eb4e5582d8fa1916ed1c7bd2e7fdea536600c4a1cf0c1d998773d2903cd934c722ab9d7ca0df3170650012ef1
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
17KB
MD5dfea8d7403749f00d65649f9ae7f3fc8
SHA1853445e1f4048453f0d5409229fdedffd5022543
SHA256ccf04f479daa86413042186cccac030ed13c17d2a7c8257feba9417ceeae8d0a
SHA51208d85946965fbc3ecd8b3257c77d41ac151655f0516644836c5be889c538a342eb1f5723beed939f137cb11fc7b1bb89ba1c3d22cfb0a1daca9e467af8de8674
-
Filesize
17KB
MD588dd84ef0739080359ac6920dbcbed1e
SHA186747839f76fd9847ffad6f54e9da2af25498ce4
SHA2568542007a7863fb860aac89ae598d37802215b8b53fde99b13e60d9875adc7dfb
SHA5122157bd58f78f73d56cec4e393570900a3819e823cb48edd22f88d18ac672cc0ea170868e483ea40151deb12e1ff00a342cd391cdbfbb3a8d2011edd1db63cb09
-
Filesize
36KB
MD5a20e152d78fc0671e1205602cfb6c030
SHA14716813a5d633934c8938a59dbfa991651a65272
SHA256390c494e81e425646fd93c571f1b5dc0cfcdd5414163a5f0a0a319403f9cc024
SHA5124a2c1cc4186828df74cfe0bbfc60999b491f20788becbf4a2ea190dbf87cbabadf9bb223bd8fbc27f9d2bf01914999ef0fab914ed634727a9ec4bd0547b87713
-
Filesize
22KB
MD58f5d898f2a39d791f7a44ae1052da30f
SHA1300fca813756457d0e88c6086ecce7b8b9c18955
SHA256dabfe62136748e75e07d8fc572ce518dc48770fd8141a1c5bea245c6d3c6fa4f
SHA5123de93c853befc5268ba187067a51918e20093239fbc29236ff8cafd43c09a1faccdca1e4b68ba2207c8aa9db4ecd83c21bd9808005baa6ba274ba322a2516386
-
Filesize
40KB
MD5d966928b94fecd22efc058ee0a93b0fc
SHA11a663e237e9a82feab72f84c8cdc4a1149cc8b04
SHA256e8a81981d5ea7100853a806651785221f75219880ce0a1d812135e803842f048
SHA5127b1f608d8e814fb57a932c0fbd01717560179003bca301777fc9905495f41baf6cc36bc9bdf595c09e52400967dee69a8868d55f338df3e671e5336797d728ee
-
Filesize
40KB
MD5cc591dd511def825ffda7fcb74a89583
SHA1646745e5e9b9f5450325ecbd153b53721e8d07f9
SHA2565cb759a24a6091fa931dd01325ca2df695340a08b890196d487e5f01cf350d73
SHA512ed0196b76c27d482e7ff81ee65328f370eba88b82d62f32c844994230db988b36bf101f52f904438b15ba3e541cf12bd9c672d354783ac04743ce9ec896a51e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
Filesize152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5ce4a2722d2cfee02899ad008f93bd5e6
SHA1e3bd5aace984b08b63291a3e773c42c48e80d4a1
SHA256f32bb5cdbe35912ab05cc74cf57b8f1a2b8e7c39b01d06a563fd2cfa0f21df65
SHA5121860d7ceedf9ecc8c66d444762195064af5ce42872f957cf25fec29caee7c4d66cc10a5164ddde5014878eb2958e9b38d882dd9dbbcbfeec41aa97d91a43989c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h550saij.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD5dae4b4e3c958a88de3c02fb8fd35652c
SHA1de55b3d12411ae58e1cc7148af93576550c51898
SHA256cf93f62439bf126555420da54f3d8efd2574650ce862c532150768443b8d140f
SHA51267b726c0d25d6e6343c55c1b36450117527bf89b9cfe091f673c6e0f0ffea31c0d0c519cbedf3d87e0c8be08cb47784d8704f63380cd3044b05d96a8aa4b5dec
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
39B
MD57b3afea60421bbb95c700f49165bf550
SHA1ba0e7a079884966f14c04789008a1b3ba2253d9e
SHA2563f331c4de18b623e9ce3d32ad470bfdf8769642693b453e8d9af9b258ca28c7e
SHA512c96097c961a643b99c2148f29df5338cce83042704cbfd55e9d4aef3f723b0a93d7fc893c3ec1ff031890e21f4912dd63f09391c944fe46f79d0fd7b46b8187d
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
7.3MB
MD56b23cce75ff84aaa6216e90b6ce6a5f3
SHA1e6cc0ef23044de9b1f96b67699c55232aea67f7d
SHA2569105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
SHA5124d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\AlternateServices.bin
Filesize8KB
MD56dab473bf8f7449beb99611a418627bf
SHA13f45ac32f3b78ecc7edd245aff7740670c5b32c6
SHA2560714c5639c6498456eb15ea8869d8e376b2491bffcd7cf67f6ec91f881312303
SHA51235eddb902ca7bd163e26d1109dadb4f30c6731d5f3301f8551e2e3461053fdc2b256166e1d9841571304554902e6b9c8490f33564c1c08eb1bba9448bf0fec1b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\AlternateServices.bin
Filesize18KB
MD5eae2f50bdef3582c1838b154c1397a9a
SHA131bf9096919e8996227a083f686305e6457af14a
SHA256991565f7fba46fee6b75ec4a86b090d5da5c35c6295c4ba33c5e2cb610919d7c
SHA51217bf615c2ead8919e6b0dc6c7b37376b8765e4e40436503d1ecd301f7bb35c6d98debfca8254a11b2c4c41992bc59eecf7c576acd16291f0b94180c5e38a6ffb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\AlternateServices.bin
Filesize21KB
MD5f327a2e7d205b766b97fa505f4a1d4a2
SHA11a3f1fae4939ed1b0b0f65a6a12aac253942e449
SHA256d1c781c94d118be2105fdd44613a55e1207d92ebbe9d22efd9e9013663d21d9a
SHA5121b1e1cc696893046c0566158ccbe4222af0f5e4279fa83f460176a9afad588ae2b7d6921722a2d80ea4262adb619f3e8ea7a654ddc249e7b1d2e7178bd5816cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\SiteSecurityServiceState.bin
Filesize4KB
MD5ad0fcd949e59b6c8a98a7d9b1d920515
SHA1d4b36be7070c1900eeb6d35888103cd7d0b6f9f0
SHA25691cba31c4520fcd32cb59bf9986e2f165158fd6927f984c33e906a03c059457b
SHA5122cf10517ed5d19177d445496723bdab8d4c944eb52cb90327e0409d3ec201a7d618ca63eef9f3933fb13bbe51410aa2b2c4c67f41977150fee6ed5302708bbb9
-
Filesize
198B
MD5ce9ef13caa8a74c25157b184aa038475
SHA1db03a9935d8bb3ce6b120aca98feade536805160
SHA256252b7fff962848c61092e82a3d87adca163849767713a93ab533bb397f1f53bb
SHA5120f6f5053e78167ef5cc5fa70ed3a87dd116df0671a590299277a197341bed983e3d77e37ad2c33cd4afe880fab9ed1c7f7502210040617a01f97a81c1e1d4f29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\db\data.safe.bin
Filesize8KB
MD57c40f3484597a3a783b5f20cd9dfa982
SHA1c3c957f082cb3b0b4abda17133febb9cb2d09ad2
SHA256a565cda9bf29c198b1857fabb8cf6b9864bed207d1dba1a9ce73f2b7ad19a92c
SHA512c0120b0e0f25ee78bd6f16ae492ea7c83aa0aea598312b2a9dc19892d7ee37ecabbd9587b75eae92cad344f77a6bb143351fbfb49bca88854e978791b3a7917f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD50f33cac3651f18aaf8ab9a5e551f77c6
SHA1b286db04028c68a6dbf8a6bf43e9e94960ceac43
SHA256ffd13651463d98b84e9785ff5e76d2fbadcc76c4101b384bd32c09ce4dfad306
SHA512d236c7d04331bcf2d894263e05017fc6fd47e6f21d992c01f2946886937b1850bfa731d35336ca79063520a4d064a8b23a2071d38b8fc0a0b4f55be9e56648b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD59e622ebbb9f60f69f7894f8987e4d6a0
SHA1836ebfcac8056c1555c8a15741696eabe58481cd
SHA2568dc4d51265886333ffdb6aa0cd2a5e73a9b4d4c5c19373468e68b47bf9251105
SHA512817ae849ef2ff10c4268063609ab85732e49c68de3fe5c7975e28f826878b5ff99e8c10bdf19fa13cc59fcbbb6698eab6a937449b48744cc72fea27ad0f4bf05
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD5276190308195f85612d593d2852780ce
SHA1cd9fb191cb67f09a16ee36fe896104f501e4fde4
SHA2568358e90415e419c8c696f59695fb6931b9dcb9e43a3e70a1813b5445a5f3f22a
SHA5129a99ea441e1ee74ccb02635684b74e546978dbf914280e3a657d4529c4566bd63388d014dfda950502f8f3d5f9aca99ec2213637454e36bcccf6abe4bf787bf9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\events\events
Filesize5KB
MD5707fa995cc9bd0118e33f0ba0cc57e4a
SHA1e334aaeee004b713ed13335c06cc9751778664e9
SHA256ade91567857968253c1d7d0e33b1c076276c492a637b3816680d6792432f96ef
SHA51202591993e5b10879e7b05ec6b0bbea2bdc7ba89ee24d07f4e08b73d1366df7605fb1c9becd527e20987d8794223d4da26531f632bd7f32a75f5d94ba37fcc801
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\3858b5d4-881a-4aae-89e9-175060ddd560
Filesize235B
MD5b0f230adf1909a98d476f44ed7cfe38f
SHA15444ecdc7d2669333a9f17364d9c81cef18013aa
SHA2561940d7393ad4bd1e68f3028cac85abc3819cfc7e9da64931baa9d6839ff7fcab
SHA51274530d2b5e727f0f37d273d3845d5c48a0d4189e79ecb0d75385d560b99baeb24699789c13a5cf16d346fcf584b7c8dd2278f1ff88fb48bdc1082fbdc63eb2ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\76936fe5-a805-4243-9b1c-44035ce280d4
Filesize235B
MD54bfb3aeffba6a293c30615eafbae516d
SHA151ff9e0deb5d6a029fa6394e0e35adf77935ac16
SHA25691d69857c5dfdae4e36635c2013a792aea4127c64d1a3c0d8c624c496d73b332
SHA512dc27c09f7c3764aa4f64636e9173bd6c5e947d5871abc67bcf5f11c8544b0a50872157c84a76fbe0aff02e1a2ec93fd19cff772cb1448b2caf3842003b0d636e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\7b74f7ec-b219-494b-b184-6a2bfe265f18
Filesize1008B
MD5e82bf3a5e7a3fed5c5223e4f805c2943
SHA1417389914ce6eeeb55339344b7d7e0b99e4c7bdb
SHA25681b70bbe821f38ba5fa1b128cfd9c3ba81efcabaf3c2347a0448119477194e20
SHA512bfb370281b3a6032b7f64697ad1beb43ece6d9529ac43c277e27f6f23382d6bf1617be3083f30791392816b0b392ed64b93ac2da771cc37702042e2a20306b6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\9cf6f7c4-ad9e-4415-ac9f-64f6456712b3
Filesize9KB
MD5c8005a13f032db76eee0d0fb02993570
SHA1e99b1fc3e616640ebc0870c2e2f5021b15aab4e7
SHA2562b58274fee06d28012f155be46ec3d648d6504adc799c827ecbd5bd9b2d625c7
SHA5120ea275b54218899626a0fe2514dcd4bc01453416d81e453bfb0d86122142452a83d9d7961d8031bb9b403396cc0c6a733abcd4bef2ec777cc6396c7d0d6af326
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\ac33f60d-4fac-45f1-a8e8-a908bd559b1e
Filesize883B
MD591e0243b2f2ff0976f95c7a9bbf18a3c
SHA1f23a66f6cb08a271060e05b73f85ad54e57072b9
SHA2562cb09e80699e0703b040492436c65f8fa204e9af2f58c52d32ee5171b46a3211
SHA51229301e2a9d8c71fc1f027bd155a32dd5003b14d4ff77e053e5ab9e9ed82f80b0754947a1628d2c6014a9939b4e0bccec1a1a486bd87e586cb334b30c1c0ba709
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\b67f48fb-8985-4195-b0b9-2c1777d50e47
Filesize15KB
MD526ad90dc82b35d8f95851cc1235abb76
SHA129d4fae86717bd5e3e47edc2780554a1a923b531
SHA2566f95c37c93b68add296d0d52717e9010e0c153e9755d84ff488f5e17dd426524
SHA512dcebb1c574a7646262242215cc97447385c9ba3579c753f38bf39b3ae811c81737a52ca49d407b79a3e580d7fb50545fae3f6ff1a8a0eb65ad50db13688f0353
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\bd0fde4e-b5c3-44e5-9e79-b1b56909c08a
Filesize281B
MD583b7e514df3f5e8ce6d03b84abfba38f
SHA185c54ec137217c084d3f2f298817c0f5cb8b023c
SHA25609a9f46cd6ae3fd865d9e42928e02d24f5fb9a3011900f000916df6efb781b16
SHA512a3046582989d2e9954b585c346f833d8f6d9d82c5d1a326910cc9e2bccc9567e7e5573e252f8304218e7d6babeba586945737e4fb6768866b8f884667801a948
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\ef8660a2-4aa9-4ad7-ab69-bfe362ca6c90
Filesize2KB
MD5c33b07c4f161e9f7ee42465f5759e35f
SHA1714f8054eaea54a1d2133d9b59a52ff867e5e91d
SHA256bdbadfab6f7856923a294cb46f3818d9b4a13b3175c7bbeca7ff0f107b3620f6
SHA512254e87c15125eb73a7ada256f980f6e67b75c92b2572039e19b5529b1bf11527f8936f3e0dce74642c18e9c1893907f247c0387e86606dad3a9c942dc19c3d76
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\datareporting\glean\pending_pings\ffec6f60-51ec-41b2-9ee7-735fdffed67e
Filesize886B
MD5822945b862f45e4feda812cfa82d2601
SHA14a83622f06db0e3884062e6aaf1e90f16ab8ce10
SHA256a73cab006c4fb0947ad602fc8393f66ab944856db2a0f42fd37d48d40f35cc1d
SHA512727409c5041538a3634dfecb36e547f8d5efb4ce2eccf31486ba6e9722f77317260c43c7e467863a6a05d6f0eb696511430e09fb6518f06aea4277f6e092d209
-
Filesize
16KB
MD554990e8156dd5ff90f0e36abf3dabd8f
SHA16a578e37e033728f85190237f1a5606f1618f725
SHA256cb08e97bab02d3d82bfa818b227c2e5c119dc4f83fff67166c6e111e5ac64fcc
SHA5120572268fa9a12edbe3cbcda3c15b742d54bc5cdc3ac12c9db1c90d9aac1fc3298578b0cead1852a3c717e618b568fe3e31cabf0419fc485654379cba351611a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
8KB
MD532a5053f4b4f7916d5fabbd08e6866a5
SHA1d69733bb49c584c98e38ab492cb1b0b24ea209d1
SHA256b2a04f301e7e0aaff3f4c5e5f9f09cf1fd4d9308e7e249d60eebfa7dcd0a4028
SHA51254a5ab541d37f9a2479350777ba85328afe2bcf10df07a4c0ca34469b1c0f66852718fd35273525df10d93487c2712e59ae54a93c6afca2037d01c82a66228a0
-
Filesize
7KB
MD5799da6e071509bdf48ec49a63261bcb4
SHA1481b91e59284a6b954ad1dcda08cce17650fb56c
SHA256ace15cc9132d0065412ed939f7da608baef01fba6fea429dfed34ef8906c77cf
SHA512d1e9bf0834cba1f69cfebfa442e93c54af7d09d8af084492037d3bf5cd3daa608d35c2070a3987425a693d89d1752a3b893c8e39e235808c631bcfaf75b0ea09
-
Filesize
7KB
MD50037daf007cf4b16192dac94afd293f1
SHA12a0fdfaaf9082fff07899a3c8a363b4901193e3c
SHA256c7c181f0686699243fb109299537ff8361beb8c202e7e2cbdbe1c8ec32e1190a
SHA512eee40f053f186cdc6d8bc3364ea9961299ed67bcd0491e157514c3a14d16c44212ec8c63158097ab90571108c74795f8aac274d3879d71f260b2313f49dbef83
-
Filesize
12KB
MD5f2e9a5f018cd692d1b1d731bedb35de2
SHA1db09100a9758551f93849b7e1e67bbccfc08ab7f
SHA256bd5caf0bfc975d0e89c1359a96767dd23fd0e4c47ebd8411d08328cf605996e1
SHA51260016888db7f98c7bac7dbffa86640aebf60109f21af2262fda815c99dc60b2e858197ec49ff306864a8babcae3ddea7fa8f218425cd6ec814a28a42a527374e
-
Filesize
6KB
MD52c439f84f21ff6adecf7057ade291f78
SHA17d3403d562a023854b45df54119c206659225936
SHA2562521ce46bf62505f080c8e6b5c77e6a2d4b2a11c0c95fbe66a673e580858d699
SHA512f099916c9453deaa8a4a2caa01b62814aa2a34fce0eee5de5c5781115daa6a0bc29b7992d1b3f94f349d80f7640cded8345af28cc7c2f8e3d766cf6a5320fee8
-
Filesize
6KB
MD5d645c61a2602a1da6193c1f4a35953d1
SHA1a0f3e2a0adb6b9b2f4120f71428905313b880f66
SHA256082d91041687fc7f844075eb5bed734215ce7e4b116c6fe549459f8ae88c419f
SHA512e3c64cdf6e3dd49da3a65f697311a696f21490070c74f73230e66287f2fe6da93eebfc877d602822400dbb8bcab93bc50f1e9e649f4be63bf9a2b725c5c7e59e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD555398a6da8197cba2d4cc31fa5dad763
SHA13c1cca3a716a27dd14115fb2c3574140a03b2d09
SHA256ae4d4f964a1579c80f1011473af397e41d63d4c2b74bb4d502043fc175c324db
SHA512d7e63752e0d3a3dd00a8a557d1cdab441e4994426a7f14c64ec13f01ec39d51c46f5bf79d528485a154989d792107763016f0ea70f9bd4851e6c43307d86c663
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize12KB
MD5edcf60b3eab718c8950451bc841bd5bc
SHA1012189ef0b9d338552bc1cfb09e9f26adcd1900f
SHA25694fbbd2a6e96d73c0a8e6616cdc531777a0d716200047575994bc170c4fca63b
SHA512420cd37bba7295c9dfdc108889770a0fd750037994486cf1f16be2800c1794461b99dca236df2ae2afd3bf2604f742b3a91bc25c02defc3f1afec587ec0b31dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD515b6adcf8a5e02d1fe6ae156058bb781
SHA187d68d6cefc76f35755dd750bb521ff4a327d453
SHA2567443940c0639b16541117b5d93018627fcd90d2c60a59e845c4423a0f5050e2d
SHA512c6403200c9570dcc9efc52d0407c9c87281f83e4dcd7d89e353f90f058bc86f5e727f8681dbc52671b13d365e218a7d12d3077f211deea019963d435344cead8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize13KB
MD580dbf52b4d6d148336fa7ba1b31322ca
SHA1d77f26c9fff0de7c4c3a37fcd8defd963aa2e0aa
SHA256e99f0ccfcff84b5906d4e82959e3d5b7d9269700f4e3657f2a21814b6a31d6a4
SHA51237068feb104f872d06b4f51410fab85f75e1d4fd85958de84addeb8fe3c8914b6988e69a7ad6fc431565b5cbba7166307d3652f4eab959736c78126e4115d3c6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize13KB
MD5116153eb486fd167ea9c08b4267fe597
SHA12fee5b73b0fcc24d43f6b56c98670f521e028c50
SHA2568ad23e06ea3d49b8dc9d0e074663ba76507218217ae633df9b8c0d27ea82fefc
SHA512ea9271814aea91ffcc4eafd541e7517b4e4a9a60e7650ec791096a68c51a070424763f22b301d6da89e1d2b4a3253933f6deeb9d71c68863f4f43b4de52998a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize16KB
MD5df404f46ffc73b805ca776d8dc61f19c
SHA1f5d52343806549d7aa0f6603f9548cd80904a8cc
SHA256731bd51fc3cebaf007e7de664f4e111140778c6a6df2776a122ea2b2ceff8ddb
SHA512431ee649db055968722571d3511f1132b9199b0ab1d18b42dc92e1a035aeb803ee89a1472d64705f5b090b598318fb22fb56561838afb43da9372e3d7aeb2e24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize13KB
MD5533f8b66e61efd5dbb2ad89a65226270
SHA1c008570a392b119df1c85c58ce97a9c930686f2c
SHA25644736c0ccdfdc9b40eead10bb68f1760ad49c8126634a1d9a94fd132d6763104
SHA51219a57154428ce460fd7d0f78ae2f227cadaba5029f51082029fa756a4f9449deff345ef91fec043c875be733f2ee8a0c6f0f91503ba9a19e3078c2a8c62cf737
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\sessionstore-backups\recovery.baklz4
Filesize14KB
MD58cb31899adf839bf055fd61411184d73
SHA1db56bc5ee2c03863290162442170a43b3d6268a0
SHA256f611b7e4aec4b4c426014482c440b2491d677d0ee04f9e7fa814ccb673463dde
SHA512398ef9b7084536409bd8a3ff60bf1e9225810c1c38e937a4d75a1a50587687fc55f7d806119592e3a74357327599efdfbdaf2f4a73100653029e66b7a9aaace1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\settings\data.safe.bin
Filesize1KB
MD590ca8ee9d5028712a070b70672e753aa
SHA10b0c5bd2f14b6d896ce861dde86a6a40e44c6d26
SHA2562fc06625a0884e03508bd17207f20fe5a9491d948eb46b1a8a82c85c73d998b5
SHA512a6517b7261d74eafd02557e6dfc4b075a3767892aa95994f6c4043ebdeb1e984490b97dbabf13777cb1f07d231f3a7bf1123d28d0e8a02072f9990275e64cebe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h550saij.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.5MB
MD515148a31fe2d922ef6d01de5f7f782fb
SHA1e4b45bc5ba679526d1f069b2c03c36e18ecee7d7
SHA2564d3c6eb921acf44eb131519494539cfc06c31e8a07ba633093b45cd56febc59c
SHA5127110cf3651374de21390844c7056b339d2e6b0101c7f0e4b7d643792d89407e62d70b8542a924ec681cd8abb21a6b3fcd74f5c9433f07a1594a303dcaf84ae6f
-
Filesize
87KB
MD551228c422534c6e6aa4679a200087f4d
SHA1db1f374b3146ec7670b2204a122f06bf34d44cf8
SHA256038a445187828648ddb2409bdb917f44092ba22a80cd204fc977045f73835373
SHA5125ddab0642a18fd0e17b41694515dd2dbe130335f0b5a4cc2575b77e782bf71a1602c12966dbfe1db0aad882928be0109353b14055e0f2f6f4bc31ce13d5cfdac
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
7.3MB
MD5f1383872295958cdfaa3aad17d767ccf
SHA114e32a18f79449ad0aac32e441c2a8f3ed914b8d
SHA256bb8574503e934945a0e5edb27b980872351249d1297a9c16b759aca95da6cfb0
SHA5122648241d78b76cd85c2dfb4df2895657fbbd7de5d3a370334e3c9cbd5b0c54da0feaf3ce79886b19aca2ebdc56bb05730e705e1bd5d38f5dbecd057bba13bcc4
-
Filesize
183KB
MD53d4e3f149f3d0cdfe76bf8b235742c97
SHA10e0e34b5fd8c15547ca98027e49b1dcf37146d95
SHA256b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
SHA5128c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
-
Filesize
5KB
MD5fe537a3346590c04d81d357e3c4be6e8
SHA1b1285f1d8618292e17e490857d1bdf0a79104837
SHA256bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA51250a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
-
Filesize
86KB
MD596ff9d4cac8d3a8e73c33fc6bf72f198
SHA117d7edf6e496dec4695d686e7d0e422081cd5cbe
SHA25696db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d
SHA51223659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46