Analysis
-
max time kernel
1374s -
max time network
1135s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-07-2024 07:54
Behavioral task
behavioral1
Sample
ANDROID_RAT.rar
Resource
win11-20240709-en
General
-
Target
ANDROID_RAT.rar
-
Size
15.8MB
-
MD5
f121b24292ab6b5c0fdc6f165f7e869d
-
SHA1
f5a34d026d56262ddf99b8099706d0c774b3cfb7
-
SHA256
8a78fdf56fe352e39b804faa5f544db35694ea6d0d46297d52bb66986604ab15
-
SHA512
954647af0d46b744073e642e84b91440e864c2e185ce7a1455360dc3d0065066fe9a99fe13684ad45658e871aa0ff485c43488b94c0b2d5bf4e6de97e172bd36
-
SSDEEP
393216:JKSn4hsYBCxVv2A6VbjSKgtB2WFVCHKSn4hsYBCxVv2A6VbjSKgtB2WFVCZ:JX+sYcVvf6VjSltxCHX+sYcVvf6VjSlQ
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Build 1.exe Build 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Build 1.exe Build 1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Compiler.exe Compiler.exe -
Executes dropped EXE 7 IoCs
pid Process 3916 winrar-x64-701.exe 2900 Build 1.exe 4516 Build 1.exe 5036 Build 1.exe 3092 Build 1.exe 4640 Compiler.exe 4948 Compiler.exe -
Loads dropped DLL 64 IoCs
pid Process 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 4516 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe 3092 Build 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 96 discord.com 97 discord.com 139 discord.com 148 discord.com 150 discord.com 118 discord.com 113 discord.com 120 discord.com 125 discord.com 127 discord.com 142 discord.com 145 discord.com 153 discord.com -
Looks up external IP address via web service 13 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 101 api.ipify.org 102 api.ipify.org 110 api.ipify.org 25 api.ipify.org 107 api.ipify.org 123 api.ipify.org 143 api.ipify.org 146 api.ipify.org 92 api.ipify.org 131 api.ipify.org 140 api.ipify.org 106 api.ipify.org 116 api.ipify.org -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x000100000002ab3f-764.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 4200 tasklist.exe 1192 tasklist.exe 4980 tasklist.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2004 firefox.exe Token: SeDebugPrivilege 2004 firefox.exe Token: SeRestorePrivilege 4836 7zG.exe Token: 35 4836 7zG.exe Token: SeSecurityPrivilege 4836 7zG.exe Token: SeSecurityPrivilege 4836 7zG.exe Token: SeDebugPrivilege 4200 tasklist.exe Token: SeDebugPrivilege 1192 tasklist.exe Token: SeDebugPrivilege 4980 tasklist.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 4836 7zG.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2004 firefox.exe 2004 firefox.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 3096 OpenWith.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 2004 firefox.exe 3916 winrar-x64-701.exe 3916 winrar-x64-701.exe 3916 winrar-x64-701.exe 2952 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 4836 wrote to memory of 2004 4836 firefox.exe 87 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 2300 2004 firefox.exe 88 PID 2004 wrote to memory of 1052 2004 firefox.exe 89 PID 2004 wrote to memory of 1052 2004 firefox.exe 89 PID 2004 wrote to memory of 1052 2004 firefox.exe 89 PID 2004 wrote to memory of 1052 2004 firefox.exe 89 PID 2004 wrote to memory of 1052 2004 firefox.exe 89 PID 2004 wrote to memory of 1052 2004 firefox.exe 89 PID 2004 wrote to memory of 1052 2004 firefox.exe 89 PID 2004 wrote to memory of 1052 2004 firefox.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT.rar1⤵
- Modifies registry class
PID:1132
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3096
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23636e10-3f3d-4669-86a8-88551f5eba0a} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" gpu3⤵PID:2300
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 25787 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {448f430a-d539-422a-a1f2-60446f429e42} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" socket3⤵
- Checks processor information in registry
PID:1052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3184 -prefsLen 25928 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322f91d6-ef16-4eab-8ca6-a471e7e34a44} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab3⤵PID:3352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3432 -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3416 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85abd905-4347-49d2-8c73-c5fa27e7c218} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab3⤵PID:2744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4716 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {284f7937-ed83-4424-b6e1-21ee0e578bb3} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" utility3⤵
- Checks processor information in registry
PID:4632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5344 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f98a28-6ddc-45a8-a837-14d27abd6320} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab3⤵PID:3604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 5352 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c5287f9-ef8d-474a-b266-a19459251e08} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab3⤵PID:4480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 5364 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7897d7d-7e9d-4d75-9019-6321578ef868} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab3⤵PID:1368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6072 -childID 6 -isForBrowser -prefsHandle 6044 -prefMapHandle 6052 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a25d1d-71ec-418f-a5bb-e22282d65475} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab3⤵PID:5072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -childID 7 -isForBrowser -prefsHandle 4376 -prefMapHandle 5044 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99ec29b0-88ae-4bc9-9452-f1e215c0129f} 2004 "\\.\pipe\gecko-crash-server-pipe.2004" tab3⤵PID:1344
-
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3916
-
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\44cea7c192914a3fba6a5b682986d401 /t 3952 /p 39161⤵PID:4252
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:548
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\" -spe -an -ai#7zMap14655:102:7zEvent142191⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4836
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Readme.txt1⤵PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:412
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:1660
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:2964
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Run first.bat" "1⤵PID:4876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Run first.bat" "1⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Run first.bat" "1⤵PID:1932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Run first.bat" "1⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Build 1.exe"C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Build 1.exe"1⤵
- Executes dropped EXE
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Build 1.exe"C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Build 1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:4516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵PID:1664
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Build 1.exe"C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Build 1.exe"1⤵
- Executes dropped EXE
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Build 1.exe"C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Build 1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:3092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵PID:1400
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Compiler.exe"C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Compiler.exe"1⤵
- Executes dropped EXE
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Compiler.exe"C:\Users\Admin\AppData\Local\Temp\ANDROID_RAT\ANDROID RAT\Compiler.exe"2⤵
- Drops startup file
- Executes dropped EXE
PID:4948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵PID:4500
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9orreff.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD537f5b0f2814d56e44b22efeeeeeadbad
SHA1e8c9dc4c2e12e09ced594ae4d36cfc740eb470c5
SHA25601b78957d5618b41c4216d22775b42cba9d73baec76c256947ac29810321dada
SHA51248373b97c259f45fd1a11fcde85fc4e5208e2942189b725898e0959688eba64d5d2971310bff4ab0cc377c4d7c78c19778542ef7fb81d3602b0fa1566846f275
-
Filesize
8.1MB
MD5de516eb29dbf7dfc4fad6ece9b0006d2
SHA1ab14d37b175dbc956c057c6f82040661740270f5
SHA2563cd0aa003daac31a45fc62b54024afe108bfad2288667e9b8a1ce3530ee1b489
SHA51260996d7f729bef43825e72ba9b2c53c1d681cf0e4ca58a009075d656addb4a9151ff46b1671cd12e8e7703c15557fe32083be8b392c9797e4b7930bbdf196ddd
-
Filesize
330B
MD5e71135b7ddb055d9450bfa8409c66973
SHA166172baac422373991ba4766069ad22c95957dcd
SHA256d4486d5f321df7389acefc24e6e0996b55912ffa2256f29d8d3bbb9a713d9d59
SHA512e43215947c9bed12918b40c9dedc438672455494f1172f4df8877ddda0f881b0b88c7c61af335f755187793615b5ecb01453b61530a764c506a0a4eab28c4fa8
-
Filesize
161B
MD56e850049ee08bf9ed50bfdee6e6934c5
SHA14fcf058207a8c7acbbb08a8c752dc803c66c6963
SHA25665df947f76e4c904718c25a0a318ca6f35bdd2328c818ee3b09d75f0f43fa710
SHA5123cd1a3098791670756f8151a952b12183e8d74aac28809afb3433565b40dc2d583648d479ab064345c9409f7cb534504ec471cfdfd884a1d420341c975d55609
-
Filesize
12KB
MD5ff2c1c4a7ae46c12eb3963f508dad30f
SHA14d759c143f78a4fe1576238587230acdf68d9c8c
SHA25673cf4155df136db24c2240e8db0c76bedcbb721e910558512d6008adaf7eed50
SHA512453ef9eed028ae172d4b76b25279ad56f59291be19eb918de40db703ec31cddf60dce2e40003dfd1ea20ec37e03df9ef049f0a004486cc23db8c5a6b6a860e7b
-
Filesize
13KB
MD5fe489576d8950611c13e6cd1d682bc3d
SHA12411d99230ef47d9e2e10e97bdea9c08a74f19af
SHA256bb79a502eca26d3418b49a47050fb4015fdb24bee97ce56cdd070d0fceb96ccd
SHA5120f605a1331624d3e99cfdc04b60948308e834aa784c5b7169986eefbce4791faa148325c1f1a09624c1a1340e0e8cf82647780ffe7b3e201fdc2b60bcfd05e09
-
Filesize
14KB
MD5a33ac93007ab673cb2780074d30f03bd
SHA1b79fcf833634e6802a92359d38fbdcf6d49d42b0
SHA2564452cf380a07919b87f39bc60768bcc4187b6910b24869dbd066f2149e04de47
SHA5125d8bdca2432cdc5a76a3115af938cc76cf1f376b070a7fd1bcbf58a7848d4f56604c5c14036012027c33cc45f71d5430b5abbfbb2d4adaf5c115ddbd1603ab86
-
Filesize
10KB
MD5821aaa9a74b4ccb1f75bd38b13b76566
SHA1907c8ee16f3a0c6e44df120460a7c675eb36f1dd
SHA256614b4f9a02d0191c3994205ac2c58571c0af9b71853be47fcf3cb3f9bc1d7f54
SHA5129d2ef8f1a2d3a7374ff0cdb38d4a93b06d1db4219bae06d57a075ee3dff5f7d6f890084dd51a972ac7572008f73fde7f5152ce5844d1a19569e5a9a439c4532b
-
Filesize
12KB
MD5619fb21dbeaf66bf7d1b61f6eb94b8c5
SHA17dd87080b4ed0cba070bb039d1bdeb0a07769047
SHA256a2afe994f8f2e847951e40485299e88718235fbefb17fccca7ace54cc6444c46
SHA512ee3dbd00d6529fcfcd623227973ea248ac93f9095430b9dc4e3257b6dc002b614d7ce4f3daab3e02ef675502afdbe28862c14e30632e3c715c434440615c4dd4
-
Filesize
14KB
MD5cea18eb87e54403af3f92f8d6dbdd6e8
SHA1f1901a397edd9c4901801e8533c5350c7a3a8513
SHA2567fe364add28266c8211457896d2517fdb0ee9efc8cb65e716847965b3e9d789f
SHA51274a3c94d8c4070b66258a5b847d9ced705f81673dd12316604e392c9d21ae6890e3720ca810b38e140650397c6ff05fd2fa0ff2d136fc5579570520ffdc1dbac
-
Filesize
17KB
MD55e6fef0ff0c688db13ed2777849e8e87
SHA13e739107b1b5ff8f1ffaac2ede75b71d4ebd128f
SHA256e88a0347f9969991756815dff0af940f00e966bc7875aa4763a2c80516f7e4ed
SHA512b97d4aa0ae76f528e643180ed300f1a50eafe8b82c27212a95ce380bca85f9ce1ff1ac1190173d56776fd663f649817514d6501ce80518f526159398daa6f55c
-
Filesize
21KB
MD56abdcd64face45efb50a3f2d6d792b93
SHA1038dbd53932c4a539c69db54707b56e4779f0eef
SHA2561031ea4c1fd2f673089052986629b6f554e5b34582b2f38e134fd64876d9ce0f
SHA5126ebe3572938734d0fa9e4ec5abdb7f63d17f28ba7e94f1fe40926be93668d1a542ffc963f9a49c5f020720caad0852579fed6c9c6d0ab71b682e27245adc916c
-
Filesize
10KB
MD53af448b8a7ef86d459d86f88a983eaec
SHA1d852be273fea71d955ea6b6ed7e73fc192fb5491
SHA256bf3a209eda07338762b8b58c74965e75f1f0c03d3f389b0103cc2bf13acfe69a
SHA512be8c0a9b1f14d73e1adf50368293eff04ad34bda71dbf0b776ffd45b6ba58a2fa66089bb23728a5077ab630e68bf4d08af2712c1d3fb7d79733eb06f2d0f6dbf
-
Filesize
91KB
MD57942be5474a095f673582997ae3054f1
SHA1e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA2568ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA51249fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039
-
Filesize
84KB
MD55a8b3602b3560868bd819b10c6343874
SHA173a5ce4d07479894f24b776eb387abd33deb83a9
SHA25600d2f34aee55b473bcc11838469b94a62d01fdf4465e19f7d7388c79132f019e
SHA5122f2f8305fd8853c479b5d2a442110efc3ad41a3c482cd554ebcc405fcf097e230f5cd45dbfb44050b5bd6fae662ce7cac0583c9784050f0c7d09a678768587db
-
Filesize
124KB
MD5e1ef9f5c77b01c82cf72522ec96b2a11
SHA1e83daa56a104f6ea6235822c644b6554c3958cfe
SHA256a79cf8259890d5843cf8eaf29db8dbd4bfabed50f4d859756f93ac2b30617023
SHA5124231ec5b06effae6497bf62853b79420529cabaee6b58f519c3c30bdd42c925e85979c29c2db0747dcff3f99f3b19dc02ece96347e08cf49eb0abb1e19238c01
-
Filesize
64KB
MD58f7edaff246c46dbf09ab5554b918b37
SHA1c14c33b14419f5d24fb36e5f1bf1760a9c63228b
SHA2569154b36c178d84a901edad689a53148451ef3c851a91447a0654f528a620d944
SHA5121947a1010fa1b07671aa471d5821792dee7f2b0cd1937d3f944cd0201a299e6cb37a41debbbd1bc6e774186f6d08ad6264055cba7652b0d5bd22691431cb360e
-
Filesize
159KB
MD5caa58290ab4414e2e22cc0b6ff4b2d29
SHA1840902aaf7db40da17018776e5c842014c3a81ac
SHA256185d407bcca7399c458133f2ce1efa938352b8093b2de040c91c3c3088ab173f
SHA512a82e380ab1676424e52a36c08eabd572375dd36a7fe2b9df51d48c368aed6c04b0b3674bc6a9787efedd0ed70bb1869ed1a2f3a1f4238485710092b9cbadd00e
-
Filesize
28KB
MD5671a9ac9b34f07ada65bf1635e4626c5
SHA1d4a6e478caaacdbdb52f57d12e16ba96671d30f2
SHA2563f1fc09b3f0a5c8c7aff4223d002952ab26f462aa390940a9f00454815204739
SHA51292617258ef747f93ab2c378f5c9a2aac14668d834df15939c1ef83a555490b9ee3380d7341bee60c33057482736a595593749b8794ddeaa9649339363095108c
-
Filesize
78KB
MD5e71c0c49f7e2bd39cafeed1dca29455b
SHA122cb314298c6c38e3246f73dc7277ed00d6b8449
SHA2563b0ea76a2b0caabf5b8994d3789778575ecbf2831acaf4d53d274e265d271622
SHA5124c09599c7c93427b30a011cc39738983c79f0835292e5c0e7e19f6329f33810773d0e97e20f4698d22b6d0b8b643521bc3ce318c890366872ed26b6d3dab5c05
-
Filesize
87KB
MD57be772b2cc298751e229ca9f1cd1ebb0
SHA13fc23d5d58e1357f1279b31877fc5cae19d25acd
SHA256bb77ea00930a9926816e2313deff136d4f8f1827a0794b9c0088fa2474b84680
SHA5125e22f7c13d59fc3ce427911401970385de50c9e3ff9dfb931c3d99c1ec5a513dd9ef5edb14069a41f2711d10246c81313927a514732d3e25b26271893ec71d17
-
Filesize
150KB
MD539919e97dc418e0099b2a0bb332a8c77
SHA1f04c9d78b3d5e2a95ea3535c363d8b05d666d39e
SHA256b38b09bf0421b1f49338ded8021d7bc56be19902d9b21a9b6e9c8df448f93eb2
SHA512f179ebe84ae065ed63e71f2855b2b69cdedfc8be70dace0eb07c8b191768eace1312562e27e77492481f214f85d31f35c88c2b1f7a3881cee9dffffa7ffc668a
-
Filesize
22KB
MD50803ad237eb9e6370d71d0c500ce6493
SHA160479ffe844717a7ccd451ae1cfa5208ed003177
SHA256fc5dc4af3a540c97d33cd300558488884417912629fad2e36baeba6ffca9faac
SHA5121f8a19fe1c228a5f7cde873a89d3c64e9b3c9b2d9b360bd893b86ac8558bae76a5f08b6a6ba093ff369f0f04e72ec10260d1d2299b796b2c1433ae11ae8b6e1a
-
Filesize
1011KB
MD52ae40d043a0890c8b0d8b97b85695432
SHA106e3af86c62dcf1f50180be15ddc24eaf3bbb0b7
SHA2560285fd0b9ba6f20e8692d1c3626e3b2809f5902531df01bf20a22ed3dc6fbcf0
SHA5122323fa6a74d8ffcaa86bd783a4f6f18e98032fce4faa232f160d9984c4611e825ccf1501a323b4c3b35cba9e9b17f92e4e1d76b19a655eb5fbac442c1fedccf1
-
Filesize
10KB
MD5c4de5638d7cf59a01c768448c6bef89d
SHA14405bae0d6fc5502e32689d99e74abafd87f9588
SHA256cd8f4e8f69c855042a8f36f68a1601d96f09568baff51f96decda4fa5aeb274d
SHA512adbf18508988af7c081539110d1b2b2f3acdea0e63bd039ec94fc57b53464761abae1639ad21f6302465ddf8fed3b0f987d9300d457be2706f10b2a36d58bce9
-
Filesize
111KB
MD5d67200e140f7226beda03e3fac5dbfce
SHA1d09d0d558ca640d380ec463ef0c6acaaf800f12c
SHA256ae2bdf86ce87b46bd557f7955ae4d018155e9bead7ccb63c65f359ae79fc5309
SHA512d8fb745b85db89978b4abfa1ebd645bf837ed9bdec80ab647f31de0fc0a547112a893e3f76912445a367d289e57a080da25797ef8ead7cd18e1b3f6e4aaf8350
-
Filesize
3.2MB
MD5aa811bb63dbd4c5859b68332326f60b1
SHA16e5584d5c59d2f79cbf60c6c71a92ecd7e4e0977
SHA25600a1eeb37372d11559bf44c9e68af9c841c41c95a173f3dfec4e0b5923d0cae0
SHA512dad9b14f501fd63824480f8801acd4004dd46f7a6965ac8ab91e573676236a11099f4b7cfdf7b3f6c0cc52a3b2e5d9b50f715f53a1f4f858ea2a5eb15d5092cd
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
673KB
MD52335285f5ac87173bd304efeddfa1d85
SHA164558d2150120abed3514db56299721c42c6fe58
SHA2561b57a201184559164dedbddcb43bb110a18cafa19ea3d00fc23274ccfc420e94
SHA51282737590d5ec7315ce8485c4794c01bfcce176ce443740a9f0cf5adfc3c3ed31a714556d33c1ca56db486636111d1ad855f606c87e5f322a505c535187ce2bde
-
Filesize
4.3MB
MD5088904a7f5b53107db42e15827e3af98
SHA11768e7fb1685410e188f663f5b259710f597e543
SHA2563761c232e151e9ceaf6c7d37b68da3df1962e3106e425cc3937d1f60170f3718
SHA512c5edc25fd9a37673f769af1a1fd540b41e68351bc30b44bc83a1d0d4a8fb078888bbb31173a77ef47698631c9816bc05637b499c20d63e3d65457d9aa4bc2c6b
-
Filesize
28KB
MD51e74ba085eb08a3affe5f5fabaaa6caf
SHA146e3efbd21dc0a2c7650ed949bc7e7e91b37efea
SHA25636be2a85c1989dc171bde986950b81d3e9cda21f1d1bf2f81f7fe15ffefad511
SHA512517a109490c3724a630a85471e28ff3c4f96c9810b96f5baa9b66473ef59ed4055e331c8da064a53bc12892fb674f417b3485e96f16015e1437cbd2ca67e87d8
-
Filesize
1.5MB
MD54795be5e45a29f950d498522ada00b18
SHA10582ab22ad37750b4a48328127309f21b8a1df4b
SHA256197cc4d88b062d5aa7a16827c659598bf32caef142e1cd6841ceb054bd461b3e
SHA5128dbca2d0a891a1802b662194bf5e68a458419acf544251fe4b7c0f08f1a01522dc725bef18fbc05b3e72a7205f8667e79a15d3707a15715ee6993fa7fe017437
-
Filesize
1.1MB
MD506092dbacf3b009ad11376dfc5ed2acd
SHA12597d23469d65936fca20906ef41e1f999944210
SHA2562f9e76a8148029ade3e8f61d014d79a9b1c154cc9b5d6608f50fc478170ff676
SHA512c782ebb9139a6b358d6e55cca3f018e421747984245fafbd150696b152763f2a6d08a21a0185f49df867dfabf5f066631a55f324abfed4e8bece8f85ead81c85
-
Filesize
29B
MD5155ea3c94a04ceab8bd7480f9205257d
SHA1b46bbbb64b3df5322dd81613e7fa14426816b1c1
SHA256445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b
SHA5123d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\AlternateServices.bin
Filesize8KB
MD58f3f4c108ce06d410b7c2014b1749703
SHA102f7a89cad4f341417629a77cb075dcb89992af0
SHA2561b3a6c88eb7005bf57fa6a767e8144d09fba584436afda94efdb869fc75c9e8f
SHA51244204950ebc7a6ecf1f245a06c7c5752f450c7356558c82bac71680d26b6786460670f44be6722f94ca8d52b0aec2732d601fd9abc907fe6f4e136bbc3777275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\AlternateServices.bin
Filesize12KB
MD56c231eeabba12429d45b3a2e3bf43818
SHA14c763aefae59c9e785d93f5e8612c3f3f96fc010
SHA2565ed493e291a1bdccaf2cd95c7582a6611ae2d07d995bce5aa3e93710a737389f
SHA51298159bed0d79555d11118ff538b7d79167a5b92aefb42a2d2f4170bea8e5960ca34fbde067459eaccb1d2cc2bf1f62e6e0b43c32ec4d702e3bbf3878f8bb5184
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD53b55afb1486eabfd1febf0df91ec1db4
SHA1d4e44c660203bd2b9d88a31dd57e1e7a9f7f2d90
SHA2564b3ae940ae38b898d4e18b51c9aebe091dfb199c58c521273726fcfb74852301
SHA512bf8d20cf316cb134ce8ce38d60d2b502ef2cc552be494013a860dd7643cdff8b68320f9b5c140235744f4b6d516aec0d0f312e7e47803f3941d9510b60810c22
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5a1de699131d305db0cb96825c0dc23db
SHA1b9e67a6b63e212978e02b7bc7f2e803178487468
SHA256a123d77d02a55d868a209b30e34b1e63faeae5bc31364e38be04a5148fd17560
SHA5127f549a8e04489b415eaf4f36bcc55b05df99ccec2915d19cc3f7a2ef9f6c5fd971764ad415563aba77f0e151f4c385ae8c5ad0ee9c5d2166f022cf6fb05b3600
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5b1e32373f408c8ad9426da458b2bee2e
SHA197fe0682edc3e9ad70a6a8e8c5d87f16e20521fc
SHA256d5570d778ae9ae89d088a510dbacfd312d99876386cef4d65c678ac6b48ff2f4
SHA512d37087f6113498e0c50437c0966dc73eafb07528901bc1ecc23c6c71d37d0301ce543931fb7ddbb68f015bc0e44c02dd2c9dd2810a45c5fe06ad191ff78aadd4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\43ae63c1-5f04-471c-92b6-82ba3f414c4f
Filesize671B
MD500347ab1896e9b54973b6d94a58183c4
SHA1643c3272ac0309bd7253fc422b34484beeb1c7ba
SHA2565db28c9647d1475c7094ebdc1d1a51ef266c9b5f19b9599dc7300357a1a52e1b
SHA5126420f4b5da34a3b4b10db199829a38db7c9a3d38ec2b9a5b308b5c6739c5056855940c90a1b3b76689e0fbd3983114f76e6a93e4b0b4c34de73829109b0590cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\65d562e9-53d5-4b11-acd2-b876cabe1fbb
Filesize982B
MD5b91e1ed142c1b9c203d11643d43772c9
SHA13a0413163c387da37b625a0a4685180382874123
SHA2564062f9040861683266c8499c5431b4e3870a0092b8e53511613afcf60e36e2ed
SHA512127d5cf00b388c31bb4ff6bb61db81d7e324a005fb2b111672ac4a60983127a272fac985f9d76d2c1fadace11e39f80cc95a4ce62d5bcc3779f6290cc69ff3ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\7aa32236-35db-41eb-b575-279256be02bc
Filesize26KB
MD588d33cdd7b1fcc395f4f0694bc4b8999
SHA12e6d4943c1b09a4ff11abbf29e20574bac6cb62f
SHA256c39a46c581ea894e728977e2fb472a469c7518dec36a3f19ad23e317d6852505
SHA5125a8d2f3e8ff56c6a3e8438863c0c66a3e249808a0f8ed271bd47e9c86ea00a5aa0517ee35cbfcc7b46157cd35dda06e5cd2a4f146a416c89c74bbbe3c1019022
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5ad835a8e3965b510011dc8bff45ef40d
SHA1dc59b7ad63ab594011b9a6760c585916d7836114
SHA2567b35434a7059aba720de6b19a0e4a7184c476d14f901b210e4afed6150fbdf7a
SHA512e87296596b4e1ebc89e78806459cecc808ef533ce8197b4411e424214b63e0f17310ca861095af60ebd951f6927215fba4dbf16a066fcca0f325d53569c53996
-
Filesize
11KB
MD56d2bb68b5c6921719cd231a54c8cf62c
SHA17486ca5c614881907a1e1cf10a762d3ab451e98d
SHA256d9662c2013f15ffba96ba2bb17da94399457e5f42498208ee3e77a55f1ad6072
SHA512080c4425289f842a44b2848a779f2ac525ec5d3b94bc1aa63d4b7d4f61c81063e2b686939f9be5078e0cda043a63280ee304fe68c41636c7e57e6a6e46ae145e
-
Filesize
12KB
MD5ec05d9052b2dc86bb9193359ebe0c5cd
SHA1742991bb1473d9adbd66595ab420d19beeac2950
SHA2566b576bfed516a7cb8f8cbb4b26da8e73a3f1a9ccb3742dbf3f8e7498af9b3439
SHA512e1d775bb63725ad58a08c5ba0bc9139ffadf15bef03bc5ed62a2838d677ffef4b9084a4865c1679d1c4e78df56dfbc406a4dea368b671bc8354e8f0b8797d6d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\sessionCheckpoints.json
Filesize228B
MD5a0821bc1a142e3b5bca852e1090c9f2c
SHA1e51beb8731e990129d965ddb60530d198c73825f
SHA256db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2
SHA512997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5e604433bf7c4f00c5a7aad0b79556c82
SHA106d92d80330d967d72d4ac6eb78d54af5cbd6008
SHA256a2735b264e7615e295fa625348fc994d0055cde3fa0c7d111831d6a531e0ce5a
SHA5123826b7a006519159cb9658011b58dc05e7412003ff38483ff540241e4bdc3a29aacf4f7e8bfe211c62f0b1213daed4be0df86d9adbeac7b41fc9e4018aedb9d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD548c9697f5607b1fcef0be8783041c8c8
SHA14b1fbb6f9e7dd8be3a1fb502ad891dfa3e958f5a
SHA256c6006394e3c0d70833c32495513a0a66046e20967fdfe3224d53614b2e59b521
SHA5128cd010e082a36d2b7ad2f561b9705a1d810bc281247ea1f56a5f3c0e11a42ae62d5ee8061005eec597f8e0dbd33f2bd25f517e187fcdcd6a436698ca689c6d65
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5c0dfff554ee809dadfdb310b5787bcd1
SHA16a4c874f005e3bd66d0ffd54e6354256526aba1f
SHA25659d60ebf729893b4922ec8c48c9bb1fbcf023eb98583392168d10f54f532b128
SHA512e4a162546975a344784cd4716aeee17f8e2337c2414a16b7ff22ee34d3144a03192a7dc7aeb187ae57498df8218da8b84351401c569811c856a4d46e96f94bcb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5627052fd571cfa1ee7ad14293cf9693d
SHA1b4b1eacd1536c0f99e2b58f2ffd26d6f39ef1a36
SHA256b6c26837b6ad8a1d4bfb21da6ba074f8eb80d544525117b66f5b782ac006c4ae
SHA512c39ca149b91629561ed41c4f9be51f5bbfbcf897d6f0a7f486a368db192c4f8d4f38d963b8688798284394e1260d54a2b329d21cf35f2aefcb418f6af17bd3ed
-
Filesize
3.8MB
MD546c17c999744470b689331f41eab7df1
SHA1b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA5124b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
-
Filesize
167B
MD5b4397fd9120f8b57b58e8fb76b10c2df
SHA1591f19a1cd61d56f0448148cdb276b15aeaa0ba8
SHA256f21d922c177d3ed923db12c9fd6e0cd83f7f4ffa9447653afd60d5c203bd82e0
SHA5121fded971f2ff01ec4ff6a21a78736b4148503d50b23aca6d147cf5f6e43ab63cf3ec1c5e496d2feec3b1809ceabc2379ad779a3aca9104d58bc5964af797bcce