crimsonrat | hxxps://www[.]roblox[.]com/games/17625359962/RIVALS

Analysis

max time kernel
385s
max time network
386s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2025, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.roblox.com/games/17625359962/RIVALS

Score

10^/10

crimsonrat modiloader warzonerat credential_access defense_evasion discovery infostealer persistence rat rezer0 spyware stealer trojan

Malware Config

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024453-2280.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Modiloader family
modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000002444c-1348.dat	modiloader_stage1

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/6904-2298-0x0000000005D30000-0x0000000005D58000-memory.dmp	rezer0

Downloads MZ/PE file 7 IoCs

flow	pid	Process
343	2840	firefox.exe
343	2840	firefox.exe
343	2840	firefox.exe
343	2840	firefox.exe
343	2840	firefox.exe
343	2840	firefox.exe
343	2840	firefox.exe

Sets file to hidden 1 TTPs 18 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6328	attrib.exe
6856	attrib.exe
4188	attrib.exe
5556	attrib.exe
4752	attrib.exe
6648	attrib.exe
6072	attrib.exe
2740	attrib.exe
3236	attrib.exe
6596	attrib.exe
3516	attrib.exe
6324	attrib.exe
6744	attrib.exe
5012	attrib.exe
6684	attrib.exe
6112	attrib.exe
6656	attrib.exe
3080	attrib.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	Blackkomet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	CrimsonRAT(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	VanToM-Rat.bat
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	winupdate.exe

Executes dropped EXE 24 IoCs

pid	Process
4852	NetWire.exe
4684	NetWire.exe
6536	CrimsonRAT(1).exe
6824	dlrarhsiva.exe
6904	WarzoneRAT.exe
6184	CrimsonRAT.exe
6308	dlrarhsiva.exe
756	WarzoneRAT.exe
5808	NetWire.exe
5524	NetWire.exe
1696	CrimsonRAT.exe
4652	dlrarhsiva.exe
6280	VanToM-Rat.bat
5592	Server.exe
6796	VanToM-Rat.bat
6664	Blackkomet.exe
3656	winupdate.exe
964	winupdate.exe
6160	winupdate.exe
6836	winupdate.exe
6076	winupdate.exe
4304	winupdate.exe
6560	winupdate.exe
4384	winupdate.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
335	raw.githubusercontent.com
336	raw.githubusercontent.com
343	raw.githubusercontent.com
348	drive.google.com
349	drive.google.com
362	drive.google.com
334	raw.githubusercontent.com
337	raw.githubusercontent.com
338	raw.githubusercontent.com

Drops file in System32 directory 53 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 6904 set thread context of 3600	6904	WarzoneRAT.exe	122
PID 756 set thread context of 3516	756	WarzoneRAT.exe	129

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WarzoneRAT(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

NTFS ADS 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File created	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe
File created	C:\Users\Admin\Downloads\WarzoneRAT(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7088	schtasks.exe
1332	schtasks.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	349	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	351	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	362	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	366	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
6904	WarzoneRAT.exe
6904	WarzoneRAT.exe
6904	WarzoneRAT.exe
6904	WarzoneRAT.exe
756	WarzoneRAT.exe
756	WarzoneRAT.exe
756	WarzoneRAT.exe
756	WarzoneRAT.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	firefox.exe
Token: SeDebugPrivilege	2840	firefox.exe
Token: SeDebugPrivilege	2840	firefox.exe
Token: SeDebugPrivilege	2840	firefox.exe
Token: SeDebugPrivilege	2840	firefox.exe
Token: SeDebugPrivilege	2840	firefox.exe
Token: SeDebugPrivilege	6904	WarzoneRAT.exe
Token: SeDebugPrivilege	756	WarzoneRAT.exe
Token: SeIncreaseQuotaPrivilege	6664	Blackkomet.exe
Token: SeSecurityPrivilege	6664	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	6664	Blackkomet.exe
Token: SeLoadDriverPrivilege	6664	Blackkomet.exe
Token: SeSystemProfilePrivilege	6664	Blackkomet.exe
Token: SeSystemtimePrivilege	6664	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	6664	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	6664	Blackkomet.exe
Token: SeCreatePagefilePrivilege	6664	Blackkomet.exe
Token: SeBackupPrivilege	6664	Blackkomet.exe
Token: SeRestorePrivilege	6664	Blackkomet.exe
Token: SeShutdownPrivilege	6664	Blackkomet.exe
Token: SeDebugPrivilege	6664	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	6664	Blackkomet.exe
Token: SeChangeNotifyPrivilege	6664	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	6664	Blackkomet.exe
Token: SeUndockPrivilege	6664	Blackkomet.exe
Token: SeManageVolumePrivilege	6664	Blackkomet.exe
Token: SeImpersonatePrivilege	6664	Blackkomet.exe
Token: SeCreateGlobalPrivilege	6664	Blackkomet.exe
Token: 33	6664	Blackkomet.exe
Token: 34	6664	Blackkomet.exe
Token: 35	6664	Blackkomet.exe
Token: 36	6664	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	3656	winupdate.exe
Token: SeSecurityPrivilege	3656	winupdate.exe
Token: SeTakeOwnershipPrivilege	3656	winupdate.exe
Token: SeLoadDriverPrivilege	3656	winupdate.exe
Token: SeSystemProfilePrivilege	3656	winupdate.exe
Token: SeSystemtimePrivilege	3656	winupdate.exe
Token: SeProfSingleProcessPrivilege	3656	winupdate.exe
Token: SeIncBasePriorityPrivilege	3656	winupdate.exe
Token: SeCreatePagefilePrivilege	3656	winupdate.exe
Token: SeBackupPrivilege	3656	winupdate.exe
Token: SeRestorePrivilege	3656	winupdate.exe
Token: SeShutdownPrivilege	3656	winupdate.exe
Token: SeDebugPrivilege	3656	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3656	winupdate.exe
Token: SeChangeNotifyPrivilege	3656	winupdate.exe
Token: SeRemoteShutdownPrivilege	3656	winupdate.exe
Token: SeUndockPrivilege	3656	winupdate.exe
Token: SeManageVolumePrivilege	3656	winupdate.exe
Token: SeImpersonatePrivilege	3656	winupdate.exe
Token: SeCreateGlobalPrivilege	3656	winupdate.exe
Token: 33	3656	winupdate.exe
Token: 34	3656	winupdate.exe
Token: 35	3656	winupdate.exe
Token: 36	3656	winupdate.exe
Token: SeIncreaseQuotaPrivilege	964	winupdate.exe
Token: SeSecurityPrivilege	964	winupdate.exe
Token: SeTakeOwnershipPrivilege	964	winupdate.exe
Token: SeLoadDriverPrivilege	964	winupdate.exe
Token: SeSystemProfilePrivilege	964	winupdate.exe
Token: SeSystemtimePrivilege	964	winupdate.exe
Token: SeProfSingleProcessPrivilege	964	winupdate.exe
Token: SeIncBasePriorityPrivilege	964	winupdate.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
6280	VanToM-Rat.bat
5592	Server.exe
6796	VanToM-Rat.bat
2840	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
6280	VanToM-Rat.bat
5592	Server.exe
6796	VanToM-Rat.bat
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe
2840	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 5976 wrote to memory of 2840	5976	firefox.exe	85
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4748	2840	firefox.exe	86
PID 2840 wrote to memory of 4560	2840	firefox.exe	87
PID 2840 wrote to memory of 4560	2840	firefox.exe	87
PID 2840 wrote to memory of 4560	2840	firefox.exe	87
PID 2840 wrote to memory of 4560	2840	firefox.exe	87
PID 2840 wrote to memory of 4560	2840	firefox.exe	87
PID 2840 wrote to memory of 4560	2840	firefox.exe	87
PID 2840 wrote to memory of 4560	2840	firefox.exe	87
PID 2840 wrote to memory of 4560	2840	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 18 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6684	attrib.exe
5012	attrib.exe
6648	attrib.exe
2740	attrib.exe
6112	attrib.exe
6656	attrib.exe
6072	attrib.exe
3236	attrib.exe
5556	attrib.exe
6596	attrib.exe
4188	attrib.exe
4752	attrib.exe
3516	attrib.exe
6324	attrib.exe
3080	attrib.exe
6328	attrib.exe
6856	attrib.exe
6744	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.roblox.com/games/17625359962/RIVALS"
1⤵
- Suspicious use of WriteProcessMemory
PID:5976
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.roblox.com/games/17625359962/RIVALS
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2028 -prefsLen 27099 -prefMapHandle 2032 -prefMapSize 270279 -ipcHandle 2116 -initialChannelId {614f9410-b374-4ad0-a436-1625c8eba15a} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2516 -prefsLen 27135 -prefMapHandle 2520 -prefMapSize 270279 -ipcHandle 2528 -initialChannelId {327d0988-32dc-4f32-8fae-f6845fa2e91b} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:4560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3836 -prefsLen 25164 -prefMapHandle 3840 -prefMapSize 270279 -jsInitHandle 3844 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3852 -initialChannelId {be1034b6-fd63-4a07-aab1-8197f6efa0c6} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4004 -prefsLen 27276 -prefMapHandle 4008 -prefMapSize 270279 -ipcHandle 4092 -initialChannelId {80d4fe8a-7d58-4a95-ac70-00ba9061e2a3} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:4772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3108 -prefsLen 34775 -prefMapHandle 3180 -prefMapSize 270279 -jsInitHandle 3264 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3200 -initialChannelId {c998fbe2-64db-4b67-ba3f-2b43dc21f93a} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4724 -prefsLen 35012 -prefMapHandle 2892 -prefMapSize 270279 -ipcHandle 5148 -initialChannelId {1b6c13d9-d424-4368-affa-0e2928ff2db9} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5296 -prefsLen 32900 -prefMapHandle 5300 -prefMapSize 270279 -jsInitHandle 5304 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5312 -initialChannelId {954cd0ba-d655-4caa-ad20-bd0ad41343f9} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:5852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5516 -prefsLen 32952 -prefMapHandle 5520 -prefMapSize 270279 -jsInitHandle 5524 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5528 -initialChannelId {93408f1e-af02-410c-ac81-c3510229a87d} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:4272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5720 -prefsLen 32952 -prefMapHandle 5724 -prefMapSize 270279 -jsInitHandle 5728 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5736 -initialChannelId {96a99e13-b95f-4923-bb61-e3a35ab7bca4} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 1 -prefsHandle 2908 -prefsLen 35064 -prefMapHandle 6308 -prefMapSize 270279 -ipcHandle 6372 -initialChannelId {4d8f0ace-f18b-4741-b788-5d3f977bd12b} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 utility
    3⤵
    - Checks processor information in registry
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6256 -prefsLen 32952 -prefMapHandle 6252 -prefMapSize 270279 -jsInitHandle 6240 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6300 -initialChannelId {b24df454-a09f-4b84-a676-92d042652499} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:6140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6412 -prefsLen 39512 -prefMapHandle 6552 -prefMapSize 270279 -jsInitHandle 5712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6312 -initialChannelId {00e1686b-f1e1-4b2a-a671-83d154c34ae8} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
    3⤵
    - Checks processor information in registry
    PID:1996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6796 -prefsLen 36502 -prefMapHandle 6972 -prefMapSize 270279 -jsInitHandle 1656 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6176 -initialChannelId {26147f18-a34b-4e68-b669-fb90262c5f03} -parentPid 2840 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2840" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab
    3⤵
    - Checks processor information in registry
    PID:5468
- - C:\Users\Admin\Downloads\Blackkomet.exe
    "C:\Users\Admin\Downloads\Blackkomet.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:6664
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:6304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\Downloads" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4752
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:3656
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6864
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5012
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6656
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6324
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6648
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        7⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3080
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        8⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6328
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2740
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        10⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3236
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6684
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        12⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6596
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6252
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7020
      - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6200
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5816

C:\Users\Admin\Downloads\NetWire.exe
"C:\Users\Admin\Downloads\NetWire.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x240 0x50c
1⤵
PID:6452

C:\Users\Admin\Downloads\CrimsonRAT(1).exe
"C:\Users\Admin\Downloads\CrimsonRAT(1).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6536
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:6824

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6904
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA90E.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:7088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3600

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6184
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:6308

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF53.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3516

C:\Users\Admin\Downloads\NetWire.exe
"C:\Users\Admin\Downloads\NetWire.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5808
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5524

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1696
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4652

C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6280
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\VanToM-Rat.bat
1⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
1⤵
PID:4800

C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\VanToM-Rat.bat
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6780

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\VanToM-Rat.bat.log

Filesize
765B

MD5
78c3b7e51d2f3e17041516a5f9a5e58d

SHA1
673979f1d2765fdd377244847e38e15e2bd77a63

SHA256
b005bbd1b6293c6b6ae5ee122f0ccf6ff455168f539643412d07df64266f9f01

SHA512
dbc1ec473bf034f6ec94c0fc9d8b84eb1562869249f8064dd8e8bc19626d5706b22e091f3264a04e307b59dfc76af73ec33053edc8ac6475e4c5c5dd3b331ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\activity-stream.contile.json

Filesize
5KB

MD5
dc94b124a867815f283036f667afd454

SHA1
7ca134d8af9a3a4558fae1d5970baea9f81efbc6

SHA256
1976902cde514b295d74820254e229914df0016144bb30a7638777565ebeb452

SHA512
932f84ffde40c2ae899c31fba0c4688c7f626bad7ac17e2e0703ccb64067dacbb543da4eef466ffa6b7745d522d3d166465b4855613ee58204a9f700a1650494

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\activity-stream.discovery_stream.json

Filesize
29KB

MD5
63c5947a3705e37d0a3d16b1360668fd

SHA1
a98b7448b4640dc6e1a751e810b8ad057b41bd74

SHA256
06073197614bc074e6491ecfb432d1ecc7ab9cc6bb988d2d36dd621deb9d7f85

SHA512
56e796b7930de281cf9533f3c8e4d648d3bfb00e1a0d717a8f6744c49138a6b4deb7d6fa88a034e49fa6b329b62cd2ee43ba265a3ddc2b75febf6b0fa1ec9031

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\cache2\entries\73EC3764FB3BA737E60C1F3545992FF513570DA7

Filesize
13KB

MD5
a4e7613a5f06c29b015539b832e16497

SHA1
9fc4fd006a6dfb404782e66339fda7abf304a3ad

SHA256
c8e5fdb7f6148edfd346b636402002ed9e37b32264229f247342fd3cae00531b

SHA512
09531e362426194efecab1602f9005be3291982d33eec7cbc6ef017eaa546a40a1fa9c5eff7ee4673c324348bd0012da0cc4a8eb65d2c095c2a42464fd0ee1c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
803bc9d3a4852b2c31736623113af323

SHA1
f8f325c370a3b2fa19113c1155be6ae0ecafebc8

SHA256
1b261536981b471c14efe31e6f3cdde794126411be9c697ad59a06a8bc3fcfb7

SHA512
3e18b5031e7897f92ae559a8cfcdf47b8acc9a02cab2e4aebe12b5866f8eae04d0e0444c78dad4aaef22be552169c76ad2d554c2b7f574a8180a3d8e37d75734

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
39B

MD5
7b3afea60421bbb95c700f49165bf550

SHA1
ba0e7a079884966f14c04789008a1b3ba2253d9e

SHA256
3f331c4de18b623e9ce3d32ad470bfdf8769642693b453e8d9af9b258ca28c7e

SHA512
c96097c961a643b99c2148f29df5338cce83042704cbfd55e9d4aef3f723b0a93d7fc893c3ec1ff031890e21f4912dd63f09391c944fe46f79d0fd7b46b8187d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA90E.tmp

Filesize
1KB

MD5
e76d0adce4918793381892a30ba1d768

SHA1
a478dbbaa121fae74f2b1f414dd034d9b8348e67

SHA256
d3c61026b7a103e7d8d20d8af12cb5a845b39740df9fcf03260c323cf0405d93

SHA512
2c84bbdf4ff6dcb4ca3a5341e1169415a06ce00e968dc5d54137264980a207e129d67a04cc5c7b5c01bbdcf39a03f7d2020f19b2b97b4e297fc68d1c6937071f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
456a9649d9c80143285cec9f41ff8dfa

SHA1
25105b43f3fcbe8e7bd6b6a20aa8aba5eb8c6870

SHA256
223e1acb20307e323f9e717300be8895d31f3e5187f53da0e6189cce2ec3b5e4

SHA512
73f46a8a768e4c62c2cd5589aef1157ed5c87fd2addb58c7279ba89f6c195d4882637f8c34cbf19ac9ac84c21223bbd410d553f66d6e086a9043e165688e3370

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
3de91519806b02c26cf2a9733881457c

SHA1
7efa200922d7bce4a80116961e683056c3ed566c

SHA256
90888f11e3466c12f18396ed2045916b654b60f9a1e5c3ec5b26ec024cefa4e2

SHA512
ce1efb73312e125e56a59b51d9334af1b51089ced12dbad46c02b63dd140b5246798087b095599c850f47dc68366f5cc9ad768df88cd77e73969af6c7e4fa9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
0b907f7d3622321f3788ccec5a37d20f

SHA1
927f395a0539fbe1ab587bcbf951ebc8c5311af0

SHA256
53ddc0acc1e3a844c9c6e4ec1af4853f8c5d74271619f49e9a147bfc19c6499e

SHA512
fe2fc76174876b6072fbaad6c2489ff3efcf1aeb805b73c1d41288a00cd2273dc1c1ecbbefd8901374fe93a4d869bdf7a71f9c2cd8c86b72d7f5d57fcbea1eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\AlternateServices.bin

Filesize
16KB

MD5
8c7b36a6de23e3f7b489851c5f5f99ad

SHA1
dcb90f58043f2407acd35bec3a818b4b7b12a418

SHA256
c0984d5ed98b52794ee04333220c2f2abea1dbcc5399b9861ab81178f1d31be1

SHA512
ddede19776c30e02119c7df53144fe57dc029bc94bdefd2be211b312873cceeb237220719841f666baaed1e10c01a4b674862404d9f793f80be33253faad9095

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\AlternateServices.bin

Filesize
7KB

MD5
822863e1105ab5b095e36c734a65a4b1

SHA1
c2ac2797b79efa758564d2838c682862c35533b5

SHA256
0909e4c3b0cb6e297e90e39f15d2e5e68fa74bfb421d018f2f8632be2b07236e

SHA512
66c11d94008f65a7bfd5017f9675dedcf116821b09ed7c6e1b0dac2983d2e38739a9286a9948b641d46ca5c2f7144a987796263727e3a405b8f03eb077d0e41f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\SiteSecurityServiceState.bin

Filesize
5KB

MD5
ac0d1716526b802753e7b095768cc90e

SHA1
4c673f72a858923f46a76cdbb8b7a8ec7aa59b81

SHA256
f4b1fbc2e25af4125a30d40c1411f5abfc9502f93b7050eeb963544a37a80505

SHA512
d22177a86db6fb7f85cd75b597b9b2c339b66da3ff4a60e5a5cc7dbecee90564e4a815d3a75a9a5517932996d9f200687c67e9ea84c3237047127a6717f698fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
492bb113c75f129ea8b8155e16dbc420

SHA1
b56a35dd8a9dac40294e7f634071a886b9dc9784

SHA256
cb9ac617dded602c1c8adc7e78ac6fc454ef29df58fa3b1908ce5266292eab91

SHA512
615b3413d13a59bc27e857a374e79a97c37c2930f839acd0ab914b0ce4df590ac3450843e9b795d596828cf963562ee5b066c1777788080e155031cf25f82ccb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
ce89845e816f99b23d41a386f211e77a

SHA1
73c1c64c55680551893b7c9646c4e7a246e885cf

SHA256
5e6a292840365311dc652a9ea464f8e37da569993f14309bcb558e3004843696

SHA512
118fd4cb7cb80ee784a73a561251f6dd6c38ac9a093215f523dc7112db9440b66ad06f0ea1ff2e4961b29c7409edbfd5b326894c0c50850a4e074ecd691c2339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
ff03043689946743ae85e0cdaf8f7b98

SHA1
440afd4a4dda88c364d752e670e6a84401eb6e77

SHA256
7bd5df9fa0d8ad7498c72ae001159983d110f1e51884111c853cf7e4f7b8fb9f

SHA512
346f0aad2051b1524fadcccb568cb950c44446b804a76e2d28f9370c17faed79dc974db9f5113fa4fc258ba1f3ded8982fbb9ef5f9876308682ed7bb88219876

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
a23ec10ff72e2279a39b632a728ba296

SHA1
9a54267c89e147e56c831b5112e7272c5c476c23

SHA256
0920f1b737192584dfec0fe19d22f08761d92312cf9cc7ad0b74690247eac797

SHA512
c9be298d286691998e9a5174492828725e8f83f725a3f7fa6820e60d0f3c95878fc5bf9dd1949afb26d9cc114963b6eba4c9e0dcd8797115781e148e34a0f4f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
bfca2f5fb361aa130c1967539c28bde3

SHA1
02e5edc51ac1b9b6b7d77c67273b01e5a26565b8

SHA256
3f1fe9e40761c7df61ce1a051510eae962cd6f288d542d11a83b1b2accd26973

SHA512
1ff87604ea986d3fadcf3cc266cc0b06a51bfacdc35af37f4ffa84e2a66277ad2a789dbe2749cf0780fa09ffa12bd4c15f7b9aeab3511c5ededcb4d6a5047bb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
fa6c2eca0a114177e2e957ec15a6c212

SHA1
f112ef33375ac451eb1f2a03101414750af684b9

SHA256
ec4b1d9d07e56e99fcf92abcb7f33e6979d347e68b44984cc9d64ca003ec06c4

SHA512
05bac57e76f84fddc0ad17f698362c876d5d03831d20deb478cfee0a0b810b7148e4f50821b442f62f8213dfe7439e880f3c7f3cb7da87bd49b8355660112244

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\0ef84c8a-b372-4930-b182-759823facf6b

Filesize
17KB

MD5
94c8ede1dfce50dd03d826a3417a0c74

SHA1
d6a207f7e6f1b96bf5c52c9bf5faf69ec4a3a7c1

SHA256
4a76992ca231018c399eea735e66b9ec10584fa408f85b4f650c7dda894635de

SHA512
e7118ed052bf0c34b4415357890fa10d424bbaf37a9f954481de74c783a5566e4cd0d758797ddb340c825a889b65b95c4cd476a38103f7e277601c60a3af69ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\10b8e5e7-722a-4c22-9a86-106388e8aa2a

Filesize
5KB

MD5
4a8614780641d5e31e69be19deee5262

SHA1
7721d43013cc560f793cee4157b71840b37b05f1

SHA256
e3d07398e63b3e65aaed27ceaea88ca28ec0a7ee0a6ea03f1bbbade121110865

SHA512
8058c8fc2a8eab14fd618944094d7de9997642dfa27d45a02946dd0485a53b3ac051fa88caab4e263b07f55f5f4d3facd40e401f939447fd0a29ec5f66b0e9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\11a9ee6e-3855-4362-b180-dfbb34e3adab

Filesize
235B

MD5
8371cb30d55ac71a9dad89db6d07be3a

SHA1
ae102bedb5933b162bdad5f9a47dcb206b97b628

SHA256
441978e8bede904fbe54564e188c95b064029d5b5b7f326a751be05847fab4ff

SHA512
0e19e56b41cd5792492e6a1d4d8f227dea0776fbeda74bfd64cd3f72e0cf0b43bdb0e47c5e9e4926fc45682b0a4ee73e3e93b9a66c8d35bec4a564578a374f66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\347d77dc-b3aa-4c82-9bdc-e7eb67d25425

Filesize
281B

MD5
ff08e06a8a9b80b21128944049427054

SHA1
fb70cba8dd542a863ff27c044f2094ca5f63df68

SHA256
a1e8e8eb8f7d215914025c4572b5e10f8ae33a35cf073e6af36fb185737c5451

SHA512
48ee223f48f6af6447fe16a213a40926f6aa847a1d7b46451623ecaca64e2d8bd56d751fce3e51015f1832edc7c18ba30131dbd8787779b22812a7d29add1c5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\638147ab-34bf-4574-8fea-8b2a2358ac5d

Filesize
883B

MD5
c6930126f5bddb30b64db4b262a824af

SHA1
43d47cbd5dd20240db892417c20b3dad416c0e92

SHA256
f78a949dd95eef56b4c9017b540b69cb0e5b8e881f39268396def2c52b8d5797

SHA512
6287256ff42876846e4bc9a27fd4e83370e087dcc64dc5539b7264155be47e8dbae0f354d3687ccab451063e1f619fa69d7db121b0d68881f839bccb660dd8a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\a4d22e41-9136-41a2-b444-a485bb79e0a9

Filesize
886B

MD5
f6445a9ece10e4744dabe15a374c885b

SHA1
d58fc21291616199939333cd8d57f40cda4631ad

SHA256
02d192cb95fe07b61b84a3f769ef6e64ea5a38cf6e114e860582a559a7c29aec

SHA512
a4615aa9f04876f8c42931d1b02b96dc35ccbb04e1d09eff07d8c319a8c6e05563153d1040d8de0857b63c837f72accf41339be8dc7aa42642406183dc174552

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\b277caac-ad47-45a1-8c25-f7ade64ebca0

Filesize
2KB

MD5
3c42e255997205410b900cb03a788397

SHA1
a9b09bb92aca7f3f6b66ccfe7ea26322845a2edd

SHA256
1aee050057c3bc60d4da3bdf514b5aae05599b1a5c977640bd96b31f9335a065

SHA512
bd61a699cec7699c0daa614e3018c3ccfc6c7f09deb67c9bbd9a257b28871d588dfccbdb095826719e98e35f87cb938bbf2c5d4d9e56aa2e8836de2dc35f81d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\f341cf7e-f715-4d81-8e40-c14152932140

Filesize
235B

MD5
02fcd35e39275acdddceb4016ed4c767

SHA1
fb77afc2cb131a3817a8de6c411d77e48f5beb65

SHA256
c4f1acf5c1802f548b3bceadad779729301c02b6144d911dcad94894c212b26a

SHA512
c9edfff53d6fff57b8262c55f11ce9a18471c5a2e160bafdbdfba13236aaa9460152911589913f48b3abbdbee8b96739fee945a0b52b0bf5c5c607bc8bf36553

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\datareporting\glean\pending_pings\f850308f-04b1-44b7-a6f4-8ac7e4148a6d

Filesize
1008B

MD5
b0e9f43305528e3f4aeb20f66f3c7e21

SHA1
267c8c090ad8407190cebd2fe6ca3974be254a67

SHA256
fdbb1c2c09a25292345bb32a73d250f517bf8a96f51f2964b097295e78bc70f8

SHA512
ea2b7f53d41ee36aad0184d3efd764f93f8c20f28076eb69bc3581cd68cebef9e9923e92fb09ef563d39748fe96ea1edf02f203cbb7af7a086b2bb724aa73dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\extensions.json

Filesize
16KB

MD5
ea4d0f5e58739e702b56f826fd48f57b

SHA1
2090c5c456aebc348797c8900d2b81a9fd5b93dc

SHA256
2d5a7fdb0a0d6c307ebda8ff7277084066ddd03aaa316a7c727e5c68c9445304

SHA512
f5bf8746e3fb6b95a76c72a2d6b23ca0d14d2a97c99538a3cdb2131b42df80345988530c431ae940f078efcb2f8b9e341d8a7ac9d1f223e80f02f95d0d2de9ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\prefs-1.js

Filesize
6KB

MD5
ea660cc5db9ee757ee1725d1c1361824

SHA1
52fc656affd5f260ddb7eeeb71af2558727a54e3

SHA256
005bdcd71b4df2039d0817aa6d55b0d341edbcb341687670015cd0ebdccf32cf

SHA512
87c60fafa7cd734509b3d4bcf0bf394110d3915617cd2f27404ead8edd9613a9d36be39febde88fce53cdb61b27820ea63446aa8bf79b1b8a996c30e571f9a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\prefs-1.js

Filesize
8KB

MD5
0ab21efbecbb226ab79de9f9e3bff882

SHA1
5222b6e8e750e96daa83d8a2607c0ac273d52219

SHA256
29a47476b535377dc985bfe2c8cfa358a01a180949bfb0d33dfd0ce166012596

SHA512
10c827566a80c2b1dd03c4e10588beecb34ac97f5ce1fd28337a213883db9bbc16adb76909b054d43cee4ea77686b256d29a743bcb4581dcd7ea5b5fa0c73452

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\prefs.js

Filesize
6KB

MD5
d39ef5160a60c5820ccc108ab5774e39

SHA1
d77da2032a1f4823c7f75ed8de93347d8d30c1c0

SHA256
d861948b37fb111a76e5d98b76fc19451e960320df5aee829871c9fce5474340

SHA512
dffda192ae9fceea7ebdb4fca6805a2a3497ed3ac5561b21089d5f74eda50b36710bc2131e141b3a113ba026465b8eb4570573640c172660ebf3dad3410741a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\prefs.js

Filesize
11KB

MD5
53cefad0ccd1d983a2c52d7d87e59f66

SHA1
b69cdb8f8a1fd49dd3aac7c86fee70dd97059323

SHA256
c8113a8efc899fb9d005096dfff60bb499248c231775d7572d7974a39ca63166

SHA512
029b10e75d3679cfdf7ac6d5239dfd0a504468b211cbc496daf840b5b1b2e2968d1d2dbd3e52580a3479b7c5daae188a2b8a6a5a933dc1ed023a3cca6508a2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
bb27b649eec3d5ba0e858cdf554f0a48

SHA1
7f9d4e8df6628b3ac93332ce5a960eb2dd4ccd8c

SHA256
03f47b2ea41b59608a04d02e2101680319a2237b8637854f5b3bf59e5cbaba52

SHA512
68e9ca1d743736cfc843d3b3e8373dec39f64a3345806533b97810016b5d3093067bf71f5108f0d247b28d28278f56085f2b59a3ce40ef7f947c437a911c6f89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
92dd88040a230f7738414ce4e8f54bf4

SHA1
d616cae64d0319302b5a943976371dcb1ee8ac1d

SHA256
60d2f473632757457f8dcb2205fc214fbda3c29e64d63c8c9c937aa25842b182

SHA512
adcc63fd0b98e135bf21367a0b1d332998a23e4ec391ba3d9c43bd1b06ee91f9a1881210106553ef5b488c13b72fa99905e913bec2b3b2d95b0ec2f9af41c7f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
db34bddf567355bdded6ecbb909400ce

SHA1
25888be3b6014b1532c905dc5086ecaca5085f94

SHA256
ee2b2e17baaa16879abf11c0aed01d57ecfc1aa4034d854153fb2cf93f05b754

SHA512
d918aa7f7f7730c9f31f1188aa93bdc19daaac7f3b452b746459910ab75ef67a1cd91a69cb9e3fab280471d824c764ac945fbaca162ab929301b9f3f4bd34454

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
b9fd5fd522aa2f9f328b1f8da327d705

SHA1
240032f6fc29f5563e0f44971a27606ec6ea6166

SHA256
95f996d0b1614079b991a65209171a9ecc4423e511b28494c3028f02fe181b34

SHA512
68779df1a91507975a6098cd9cece311bf36347c2e5df7ce01d19b66bbb247664764b7a53627e38cc4b98c6c089aab1dce1280c52926e34750b0c5c9b2da1058

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
c4fc1740e22960d72b6540bcc0e02982

SHA1
56bd8aa43bab9ec519be334637176089f1ebf76e

SHA256
76ab26b2a9c2b02c6b5b82661a294d759c460cd85a4a3e3395f7ce5bedf4faf8

SHA512
2b85866dce9505626b6849c1a58c140eed694e1dd8e7ea2813084b19bc3fbb6db7004e081fd8fc5f43aa1fa83cf10b32ed204788191a9229e18896f365ac8064

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
85db788691cbbd3b5ad4671da6bc94de

SHA1
b045adff6376e46be805f7f211bfe757e8950eb5

SHA256
2af86679efe0a7254ec72144085fd7803e11fb3c0795a53443aa0af171ca4b8b

SHA512
abf194c6e14ba9b8416fba65c03567d5c8bbfa97b8715ef91f9c01f67c4aa6b0cf55772ba373f4c9c90341fe76d072b367f4be2f6e1fed49d986dde615cbc518

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
cc3649c8e711ed1915a94ef8035488aa

SHA1
5205724d2d9af7b48b6b084df44e463a4ce837d3

SHA256
568c307685d60dfc0fae75a84c25ab078f5dd5afee456f430db8449eb84dfa82

SHA512
db40792dd829961c0ca2fe0d1d49324ea4930f5ee0147ab09a28bd792ef0ec7806e8b47a8453ca8772cfdf5e4be3a0bd99a8fae2ea5329a2195465fb07a90a02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
d4c007c0c597a5f5dca589139c95edb9

SHA1
e2c84886ab3bff15ae0cf183afe901787bd4b2f7

SHA256
367967ab0839850bfb2a6f2d60d71f618d5b1dbfcdd6d47a7e8df86038abec1c

SHA512
d36c9848a04f42a36bbd90072165a1ff595d11824bee56f31caeec0294ec235032588def18a5a53db5ec36936f62e8e79cb5053ffb907d726fc2034d27179d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
4d8e35228a996708b1769d781ca51d38

SHA1
8ba8bdb65e0d0e65653effcd0bdd41876481b316

SHA256
a9f9106fe0d9aef7e5397797af6e81a310a977b245360b0f2f3a4bc9cfcb8785

SHA512
34f08328065ad651e1d632a822331692e366b4d38db9597320d5173930cd0e7af3007cc619804e13c361e0f5e43bbcb2b34c727f6f49f3f7348629220959825d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
a69ae3ca75262c44b7a5aaa192620cf6

SHA1
8cc7d605bea9c79b3615c1a5609260750333f823

SHA256
98dd76a7522ff83f24045a376e5eaf9cbbfd43582307bfec75ece8319f3105cd

SHA512
2295570be815029961dea4ed78fbca568b603d7e20ba3e879845762f5f86fbd7d5bd27f8f28b89eb9f680ea1924dba04b836dccdb14a5c5f02fd213152eb9cc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
051da3cac88e6ade95ee59209b4438f3

SHA1
c209ef916154dfa95aa0deca6f0230290cba60c4

SHA256
5062bf1bb9e583f7028d001c8141700d8611780862d1b4f3570f6e4d69e33f60

SHA512
a24e027e9c54c5fae2e70dc115088c80657051402db913833475762d30298a54e21342b102f72a1d5a36755d9f0c79f406bb0757c513eb1305ec4a6a093fe84b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y3nhmyvb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.8MB

MD5
bc83a948ab00bbb9a00993c1f3c2d68a

SHA1
de7ffd90941ddef107b9bf125b27e5f5d1d6775b

SHA256
029aadada036813c123a9ea2de05c42d7f0d97fc4654bb0380290bf43de3b6c5

SHA512
fb50cb915c12d237cc268881dbbe78d49106530d629a6e5ca21590def31395ac673b9b4a799cb04e8ac487eacbba9218587fc281e08ac7c1f030cb3ab90f6663

Download Submit
C:\Users\Admin\Downloads\Blackkomet.n8k0jSbs.exe.part

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT._WQqX5zw.exe.part

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\NetWire.aTFpVrbq.exe.part

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Downloads\VanToM-Rat.av7kUQvT.bat.part

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\WarzoneRAT.kO1qISZL.exe.part

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier

Filesize
221B

MD5
f1b325288486362f1dc3ad9f592bdde6

SHA1
5204e7fd2ae9dcc986fa693c9e862a8ea7340539

SHA256
96d5cab2345d032d020aaa521771975cbce108fd905aeac11d94e7e7940ff962

SHA512
f8261d8d9c933172c2dbf3b8387b779f271724de52b216f9c2e7a7fc8da6bab285b69c9e10bda987825e894053de83292146c4e2253e45448a7fa106f7732e31

Download Submit
memory/4684-2252-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/4684-2320-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/4684-1405-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4684-1404-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4852-1402-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4852-1403-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/4852-1425-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/6280-3299-0x000000001C290000-0x000000001C2DC000-memory.dmp

Filesize
304KB

Download
memory/6280-3296-0x000000001BA80000-0x000000001BF4E000-memory.dmp

Filesize
4.8MB

Download
memory/6280-3297-0x000000001BFF0000-0x000000001C08C000-memory.dmp

Filesize
624KB

Download
memory/6280-3298-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/6280-3295-0x000000001B500000-0x000000001B5A6000-memory.dmp

Filesize
664KB

Download
memory/6280-3302-0x000000001E480000-0x000000001E78E000-memory.dmp

Filesize
3.1MB

Download
memory/6536-2257-0x00000254E0770000-0x00000254E078E000-memory.dmp

Filesize
120KB

Download
memory/6824-2289-0x000001A7357A0000-0x000001A7360B4000-memory.dmp

Filesize
9.1MB

Download
memory/6904-2293-0x0000000000CE0000-0x0000000000D36000-memory.dmp

Filesize
344KB

Download
memory/6904-2294-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/6904-2295-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/6904-2296-0x00000000056F0000-0x00000000056F8000-memory.dmp

Filesize
32KB

Download
memory/6904-2297-0x0000000006390000-0x000000000642C000-memory.dmp

Filesize
624KB

Download
memory/6904-2298-0x0000000005D30000-0x0000000005D58000-memory.dmp

Filesize
160KB

Download