njrat | 13fde5c8aeb2fe2335dcb803a1a31a404e2f65e990d2a728a0df681ef832b616

Analysis

max time kernel
1137s
max time network
1166s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24/02/2024, 02:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

New Client.exe
Size

188KB
MD5

b848808a7c3f542eaf9718c0c8e0159f
SHA1

c8fc1af2a0e6df1be9426b5f2e636b7f2b1aa302
SHA256

13fde5c8aeb2fe2335dcb803a1a31a404e2f65e990d2a728a0df681ef832b616
SHA512

0eb66a47448b588cdbd4b1b1d426c70b10fd073f2612a1f45e3abbec7b61f35735ff2a8cfeb1eb3f5390f89cc3abd88522a1c7ff20ddc8857242e8ce7335ac2d
SSDEEP

3072:p2B+64kQ2EJam2dNREz9Vnc4OZMJwGu3U4QyZom8exsrPR5TE7D0XuDTTo6M//lz:p2B+64kQ2EJam2dNREz9FdOZMJwGuE42

Score

10^/10

njrat antivirus bootkit persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

AntiVirus

127.0.0.1:38277

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	New Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	New Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	New Client.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	498a888a37ff41bd96b64ba90456126e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	498a888a37ff41bd96b64ba90456126e.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\windows\system32\jsvi8r.exe	New Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2604	taskkill.exe
4952	TASKKILL.exe
3924	TASKKILL.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe
1440	New Client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1440	New Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	New Client.exe
Token: SeDebugPrivilege	4952	TASKKILL.exe
Token: SeDebugPrivilege	3924	TASKKILL.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe
Token: SeIncBasePriorityPrivilege	1440	New Client.exe
Token: 33	1440	New Client.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe
1700	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1700	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 4952	1440	New Client.exe	71
PID 1440 wrote to memory of 4952	1440	New Client.exe	71
PID 1440 wrote to memory of 3924	1440	New Client.exe	73
PID 1440 wrote to memory of 3924	1440	New Client.exe	73
PID 1440 wrote to memory of 2604	1440	New Client.exe	76
PID 1440 wrote to memory of 2604	1440	New Client.exe	76
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 4852 wrote to memory of 1700	4852	firefox.exe	80
PID 1700 wrote to memory of 4900	1700	firefox.exe	81
PID 1700 wrote to memory of 4900	1700	firefox.exe	81
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82
PID 1700 wrote to memory of 3220	1700	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SYSTEM32\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\SYSTEM32\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /f im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\498a888a37ff41bd96b64ba90456126e.exe
  "C:\Users\Admin\AppData\Local\Temp\498a888a37ff41bd96b64ba90456126e.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:4272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.0.1271254433\1894821306" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {535efaf1-0b03-4674-b374-b50b919d1d92} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1792 213448d3e58 gpu
    3⤵
    PID:4900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.1.1405896161\1962201069" -parentBuildID 20221007134813 -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c77bd95-99e5-4869-bc2f-803809381ac8} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 2148 213447fcb58 socket
    3⤵
    PID:3220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.2.208267487\1061987799" -childID 1 -isForBrowser -prefsHandle 2756 -prefMapHandle 2632 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98c18a60-88f8-48aa-a92c-300b0cf73dc3} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 2712 213489ce258 tab
    3⤵
    PID:460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.3.126373198\712247315" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6da2ad73-0dcb-4d64-8bab-1c95d54fc868} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 3492 21349703258 tab
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.4.859633433\31601376" -childID 3 -isForBrowser -prefsHandle 4280 -prefMapHandle 4276 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {636ce6ae-3b40-417c-ab81-2ad57a55e423} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 4252 21349bac758 tab
    3⤵
    PID:3852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.5.1437222322\305777180" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4852 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91084e7f-f9f4-41b9-9815-c1a892e5e6d5} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 4856 2134bc0d258 tab
    3⤵
    PID:1640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.6.204731471\907569502" -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5024 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {639c9011-f772-4b54-ac5f-ba465cc84205} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 5008 2134bc10858 tab
    3⤵
    PID:4408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.7.1230252153\985619652" -childID 6 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {033b6dd9-5aa2-4f43-9e96-b31a99e34db6} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 5180 2134bc0de58 tab
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1700.8.554809305\1279531847" -childID 7 -isForBrowser -prefsHandle 5568 -prefMapHandle 5588 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14ba9c64-d72a-43bc-835f-8d66e32eda43} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 5364 21332468a58 tab
    3⤵
    PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\498a888a37ff41bd96b64ba90456126e.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
7f4a2efd345374f2bc99473e90bf6e65

SHA1
b5fcf421ce5e8e00abd79f2c85ed50dc52cf18e5

SHA256
551d83db765084dd078431efe17c6f21e6485cb51ff0d825100d9084370fb87a

SHA512
086eaafaee943a7584e6ded07784063f140739525c43f052a159ff70312c2d632fa56ddcbe10f7b95b89ad152412171d457752c9aed5566a815d7295c84163fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\bookmarkbackups\bookmarks-2024-02-24_11_nS8Go9mVfVZwbMdsBUM-aA==.jsonlz4

Filesize
946B

MD5
617b39dc4c46a925f5c66fe298512813

SHA1
9cdce6af32243d154d99181090e2a014eaf46796

SHA256
ac2a48f0654940e1d7a87d20cd289e74c754e6c494be4ade519ffb9901933896

SHA512
74cf706ae1534f3774c1fdc9dd232c76d051ffb5c36609273bdea089cbea6ae5a9e4a42fa8fa9ae76291c93ede3b56dbbd620f597970edcbb3bd9d6168bf221f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
0a6d0e6f7e77c80eb27ed1839a26268c

SHA1
2d9c12b855bff2f8ceda3d22f9d44247372013c4

SHA256
6709210e4b43cc2a539f3cd9fd549201f0192873c932f4993a40d563eaa7284f

SHA512
6c5c27e8abaafa02751328b17a974c44a743bdb4d588492e69e9ea535f9f4f0e17f46586a8884c28bef70428aa94473642ce80bd2ba010538882bf6bc2dbb455

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\pending_pings\c5da2f59-5fd0-4ced-ad6a-c922dd9c05d5

Filesize
734B

MD5
db04034767f3cd119bd627377fa8ee80

SHA1
7ecc7265af7bb2f549f2478112d34e5493432e2e

SHA256
f388df0a145ea115486fc903651f2fd441eeb4342e9085d5802aebd75b923df2

SHA512
0be29d8a0494ee76801116614dc105a3fa48f40d0c186d131b834d72ea9cee0e7c498986a9e59c99e24fc80206a2b4a420b2bc0f0b2e57e4e4a738dffdcb1c31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\prefs-1.js

Filesize
6KB

MD5
f346a34d331d2fad5978891c5c62d5a3

SHA1
ccd73dc2f9c8d2003f02854c8170d030479aeb1b

SHA256
b8f2959db9155db140ea48482f7554b0893c44a2486979262034ac24bcb0df54

SHA512
fd464ab5c3f89f3c1545b128895ebfd4243f8b80755c2c62b906a7d8e70c3aa1c12fed04ca1cee14cea1e8fbbaa99b488f444f4b3a728ba5351a9b0c4638dcc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\prefs-1.js

Filesize
6KB

MD5
ec7696f84be4f7ee95457deeec200954

SHA1
d6287a0aed606261f60446a866cfd71f65449b21

SHA256
3a8db60939168bd5225532166059347f4e6bea2fc317d472c4b6c5a0848f56bc

SHA512
88c35cdb68150d95b15e1a60a6a24c171269a1e4db4b1e19ba93c249e6b8aca87df10c6ed91bbc62bfa1ec075cc98bd5efb8ca71608cdbdc2af06a64f91f201a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\prefs-1.js

Filesize
6KB

MD5
3fe3aa30ae375ac0593d3ac6557c5b49

SHA1
b11772ade22c88a306bb8ec9d29ebb62ca089b9b

SHA256
13f3a89d1a910d9e7fe2559a67201284e4e4772378d5542d79331c2f32e7c9b2

SHA512
d614b1ed4b96d4d3088f38bbcd5f8756a0e63d37e6712b8ab3d83bc2832e0e54c9ae589902b2458ddbb2b29b28103af02b625248e13b14ea9ebc754d9809a888

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\prefs-1.js

Filesize
7KB

MD5
7724cd725fa2a85afa1b4b0df75d0987

SHA1
127725e64779fc94a072ac2d35f0180f1a972e57

SHA256
a618eddccb98e704cccb86dca25c3ff5b4b39c272e279d3eb96b56438db8d6d7

SHA512
65e3a6c4cb182dd2990a1e4cff0757874778ed3ad02fb75d12a86d598d6eaf79bc9b242e356c201c59bb3e247dcb249ba819a8e23631d09e029f0e07a2fdeb38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c5ce88d14e2be6900d43a29d976a27f2

SHA1
66203c50e669f908ebb017139f8a3e80839cc6de

SHA256
b5c8a4046a2a93ccc373804bd968b6cb7e0f6ebd4f1fc11da20badafa8875ae1

SHA512
d4e23eba599ace303e2abe34152eb6d8b0159c8be141914419accac4cf3c613f413af8ab73101f2c2842a1bf75ba9a5bb88d3f63dd58e63792ea19fa56cdd1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
23f44bc8fea1a58a1e350669bd8d085c

SHA1
54f3c5543e184cede4f6e7f8388e7d2853943d12

SHA256
d6b4ee4d388bb293cdda0fb6d4f5d63df2bac429858cae2265ec01755272f8b3

SHA512
555db0ace887c8f18162f7d3458e34d9115568f7a4924c52564609f279b9ea3fc743ef4db6e9e811bfddc98f67678afcf2a9ef59f5b9ff9114ba39e06f46ce61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
96c262a54d09fc48826bd590d1fe2e34

SHA1
e4edcdbf5f5a81599a11e01c91ace7fb1eedbd63

SHA256
44ce1029ce061d3ee8821d97b9271ed7825d8b2ce4045dd34fe8046ebee735e3

SHA512
026bf7b9834eacda844c468289945e12745f99875e52fed492744260b6b366fe5c29475c8ceaf2b83650fed91d4de303c09e471cbcc63c5f789c6e7a5345cdd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
edd23bd508a9eb4df04650b403328832

SHA1
d364a07f1fcff9dcab2a26c9ac7b2dd9509e852f

SHA256
21f530a78fb8c5a6050abc3a31f62730bd2398ecd23aa3ba828691a3b4a57157

SHA512
b9b3e6cba55393735ef2890754bd6d155b3c8985b1eca58a6a6885547a2ee8202792ebda2c73cc645042fe55103c2b060ee9c1ac778937d694155b570fa474ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
c873c43eb10a5a1a5e50be7bc650f14d

SHA1
d39f1c3a7da858f21b8bc9e7a0c3a43d61c7f8e1

SHA256
3850f073896acfae5d83afae4c2ab35c9dfd9f3a9a1a079d87dfb4ca4d40b194

SHA512
adedb4b8bfaa3f4e8b1cf17b5b763763c5f4f6006f821b198092b3a7e85b19bcca9bec765f42be16200f43faf9e51f63d9a66fc653196ec6420722f635c28eae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\targeting.snapshot.json

Filesize
3KB

MD5
3c3b5fdd55d2d5d4469f3d9e56ecc533

SHA1
ad2f784c965c61c724e13d4336bbf9dd0424304c

SHA256
29aef0470a3513802ba665d31947ef31e99c77636f6bb15df2afeb92dc759b15

SHA512
5fd69ded4edce093ae2eba47ddeca93a481620d2f0d88b6b1a8ae043effe62b8142bff93f26792005a6669eb89b7ef95c6762e6a60554155ffa546798c48ab49

Download Submit
memory/1440-11-0x000000001D850000-0x000000001D8EC000-memory.dmp

Filesize
624KB

Download
memory/1440-19-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1440-15-0x00007FF942310000-0x00007FF942CB0000-memory.dmp

Filesize
9.6MB

Download
memory/1440-14-0x000000001D750000-0x000000001D769000-memory.dmp

Filesize
100KB

Download
memory/1440-13-0x000000001D960000-0x000000001D9C2000-memory.dmp

Filesize
392KB

Download
memory/1440-12-0x0000000002C90000-0x0000000002C98000-memory.dmp

Filesize
32KB

Download
memory/1440-17-0x00007FF942310000-0x00007FF942CB0000-memory.dmp

Filesize
9.6MB

Download
memory/1440-5-0x000000001CBB0000-0x000000001CC56000-memory.dmp

Filesize
664KB

Download
memory/1440-18-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1440-16-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1440-4-0x000000001CAC0000-0x000000001CAFA000-memory.dmp

Filesize
232KB

Download
memory/1440-0-0x000000001C010000-0x000000001C4DE000-memory.dmp

Filesize
4.8MB

Download
memory/1440-155-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1440-3-0x00007FF942310000-0x00007FF942CB0000-memory.dmp

Filesize
9.6MB

Download
memory/1440-2-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1440-73-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1440-382-0x0000000001220000-0x000000000122A000-memory.dmp

Filesize
40KB

Download
memory/1440-1-0x00007FF942310000-0x00007FF942CB0000-memory.dmp

Filesize
9.6MB

Download
memory/4272-388-0x0000000002030000-0x0000000002042000-memory.dmp

Filesize
72KB

Download
memory/4272-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download