Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
386s -
max time network
386s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08/10/2024, 09:56
Static task
static1
Behavioral task
behavioral1
Sample
NocturneLoader.exe
Resource
win10-20240404-en
Errors
General
-
Target
NocturneLoader.exe
-
Size
607KB
-
MD5
4a5b7c6a9592dd295c6c23c6b17eae92
-
SHA1
538654fa1a9453483ab2d051fad9dfe38cfa2b3e
-
SHA256
4c3fad8ea837861fe54356ad6e7e40cce2fe305b9cb323f07d8802c93a440b70
-
SHA512
47144a0eac75fb8a4653644441c8f3805e98cf82e681e89288603497ca44b2a43e1c3e794171113bd8744bc712cef31578f0e4f8e54ac029f9613531820ec248
-
SSDEEP
12288:Cs13XpHNz+8cbkAklsOnb7Ev812q94GEwX/E+:b3XbzzculsObQva91DX8
Malware Config
Extracted
njrat
im523
HacKed
127.0.0.1:5552
984559f52d4087243e95e5ad9bb48e8d
-
reg_key
984559f52d4087243e95e5ad9bb48e8d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4084 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\984559f52d4087243e95e5ad9bb48e8d.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\984559f52d4087243e95e5ad9bb48e8d.exe server.exe -
Executes dropped EXE 3 IoCs
pid Process 3424 dotNetFx35setup.exe 4036 Server.exe 5884 server.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\984559f52d4087243e95e5ad9bb48e8d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\984559f52d4087243e95e5ad9bb48e8d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 163 camo.githubusercontent.com 172 camo.githubusercontent.com 160 camo.githubusercontent.com 162 camo.githubusercontent.com -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created D:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5884 set thread context of 5172 5884 server.exe 124 -
resource yara_rule behavioral1/memory/5172-1070-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/5172-1071-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/5172-1072-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/5172-1077-0x0000000000400000-0x0000000000472000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\dotNetFx35setup.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dotNetFx35setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat 0.7D Green Edition by im523.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ilasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 1 IoCs
pid Process 6032 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\NodeSlot = "5" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 = 90003100000000004859784f10004e4a524154307e312e3744470000740009000400efbe4859784f4859784f2e000000a9ab0100000008000000000000000000000000000000526e38004e006a00520061007400200030002e0037004400200047007200650065006e002000450064006900740069006f006e00200062007900200069006d0035003200330000001c000000 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\MRUListEx = ffffffff NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1 NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 0000000001000000ffffffff NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\NodeSlot = "6" NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1 = 14002e8005398e082303024b98265d99428e115f0000 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 NjRat 0.7D Green Edition by im523.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = ffffffff NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 90003100000000004859784f10004e4a524154307e312e3744470000740009000400efbe4859784f4859784f2e000000a7ab0100000008000000000000000000000000000000d7bf47004e006a00520061007400200030002e0037004400200047007200650065006e002000450064006900740069006f006e00200062007900200069006d0035003200330000001c000000 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell NjRat 0.7D Green Edition by im523.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance NjRat 0.7D Green Edition by im523.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" NjRat 0.7D Green Edition by im523.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings firefox.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff NjRat 0.7D Green Edition by im523.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 9e003100000000004859784f10004e4a5241542d7e312e37442d0000820009000400efbe4859784f4859784f2e0000004ea1010000000300000000000000000000000000000008224a004e006a005200610074002d0030002e00370044002d0047007200650065006e002d00450064006900740069006f006e002d00620079002d0069006d003500320033002d006d006100730074006500720000001c000000 NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 0100000000000000ffffffff NjRat 0.7D Green Edition by im523.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NjRat 0.7D Green Edition by im523.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NjRat 0.7D Green Edition by im523.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 NjRat 0.7D Green Edition by im523.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\Downloads\dotNetFx35setup.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-master.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4684 NocturneLoader.exe 4684 NocturneLoader.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 208 taskmgr.exe 208 taskmgr.exe 5884 server.exe 5884 server.exe 5884 server.exe 5884 server.exe 208 taskmgr.exe 5884 server.exe 5884 server.exe 5884 server.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 5400 OptionalFeatures.exe 2084 NjRat 0.7D Green Edition by im523.exe 5884 server.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 780 firefox.exe Token: SeDebugPrivilege 780 firefox.exe Token: SeDebugPrivilege 780 firefox.exe Token: SeDebugPrivilege 780 firefox.exe Token: SeDebugPrivilege 780 firefox.exe Token: SeDebugPrivilege 780 firefox.exe Token: 33 5688 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5688 AUDIODG.EXE Token: SeDebugPrivilege 780 firefox.exe Token: SeDebugPrivilege 5884 server.exe Token: SeDebugPrivilege 6032 taskkill.exe Token: SeDebugPrivilege 208 taskmgr.exe Token: SeSystemProfilePrivilege 208 taskmgr.exe Token: SeCreateGlobalPrivilege 208 taskmgr.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: SeDebugPrivilege 5172 vbc.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: SeDebugPrivilege 780 firefox.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: 33 5884 server.exe Token: SeIncBasePriorityPrivilege 5884 server.exe Token: SeShutdownPrivilege 992 shutdown.exe Token: SeRemoteShutdownPrivilege 992 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 2084 NjRat 0.7D Green Edition by im523.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe 208 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 2084 NjRat 0.7D Green Edition by im523.exe 5340 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4684 wrote to memory of 1568 4684 NocturneLoader.exe 75 PID 4684 wrote to memory of 1568 4684 NocturneLoader.exe 75 PID 1568 wrote to memory of 2076 1568 cmd.exe 76 PID 1568 wrote to memory of 2076 1568 cmd.exe 76 PID 1568 wrote to memory of 4932 1568 cmd.exe 77 PID 1568 wrote to memory of 4932 1568 cmd.exe 77 PID 1568 wrote to memory of 1344 1568 cmd.exe 78 PID 1568 wrote to memory of 1344 1568 cmd.exe 78 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 1416 wrote to memory of 780 1416 firefox.exe 81 PID 780 wrote to memory of 1512 780 firefox.exe 82 PID 780 wrote to memory of 1512 780 firefox.exe 82 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 PID 780 wrote to memory of 4888 780 firefox.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe"C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe" MD53⤵PID:2076
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4932
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:1344
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.0.1811862586\846525327" -parentBuildID 20221007134813 -prefsHandle 1748 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b495f21a-4434-4ac2-a539-db2d1b45c24f} 780 "\\.\pipe\gecko-crash-server-pipe.780" 1828 2ab1d8d7a58 gpu3⤵PID:1512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.1.560869547\518342937" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4ede8d8-9780-43f6-8e4a-f5750f300dee} 780 "\\.\pipe\gecko-crash-server-pipe.780" 2184 2ab1d8b9d58 socket3⤵PID:4888
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.2.996990159\1995291789" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2856 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3d3e344-a542-4b4d-8b9b-01ec794c3dab} 780 "\\.\pipe\gecko-crash-server-pipe.780" 2872 2ab1d85aa58 tab3⤵PID:352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.3.759991510\769022317" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3616 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cec9445-ec71-49af-bab8-d29879b706cd} 780 "\\.\pipe\gecko-crash-server-pipe.780" 3640 2ab12b67e58 tab3⤵PID:2336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.4.990238164\378739760" -childID 3 -isForBrowser -prefsHandle 4036 -prefMapHandle 4032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {261c1900-0fa7-4f8e-b7df-a5bbe6c71f4b} 780 "\\.\pipe\gecko-crash-server-pipe.780" 4048 2ab23396258 tab3⤵PID:4556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.5.99984836\67731113" -childID 4 -isForBrowser -prefsHandle 1524 -prefMapHandle 4616 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d8f989b-b3ac-407c-9ca3-d75dc54ea165} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5044 2ab203cef58 tab3⤵PID:4280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.6.619234961\517638514" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9fb9878-f673-44f5-b759-74608fec48d9} 780 "\\.\pipe\gecko-crash-server-pipe.780" 4800 2ab24422658 tab3⤵PID:4824
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.7.848441975\2093024084" -childID 6 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {812f7634-7073-4bd5-a6ae-459b5c7eb8ea} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5296 2ab250d2058 tab3⤵PID:3740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.8.821937443\1380851066" -childID 7 -isForBrowser -prefsHandle 5664 -prefMapHandle 5332 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db784e0d-354a-409a-874a-a3504d3b5b38} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5672 2ab262b7e58 tab3⤵PID:4140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.9.1804704977\1095433700" -childID 8 -isForBrowser -prefsHandle 4164 -prefMapHandle 4168 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d9efe54-6eba-4bf9-8e20-18c1ee1a9d2e} 780 "\\.\pipe\gecko-crash-server-pipe.780" 1664 2ab26558b58 tab3⤵PID:864
-
-
C:\Users\Admin\Downloads\dotNetFx35setup.exe"C:\Users\Admin\Downloads\dotNetFx35setup.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.10.259720370\1145899561" -childID 9 -isForBrowser -prefsHandle 1628 -prefMapHandle 4816 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea97ce77-fb99-41ba-b5c5-5a810dccabea} 780 "\\.\pipe\gecko-crash-server-pipe.780" 4216 2ab1f51ff58 tab3⤵PID:5320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.11.290450059\1366764480" -childID 10 -isForBrowser -prefsHandle 5264 -prefMapHandle 5248 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5598e857-b855-42a2-8418-0f12bfba4b00} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5236 2ab25e9e658 tab3⤵PID:5600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.12.1761787092\426501069" -childID 11 -isForBrowser -prefsHandle 6796 -prefMapHandle 6828 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58fa037a-df6d-47a9-979a-fd7387ffd8a5} 780 "\\.\pipe\gecko-crash-server-pipe.780" 6756 2ab1f4f3858 tab3⤵PID:5604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.13.446233759\1109011766" -childID 12 -isForBrowser -prefsHandle 4784 -prefMapHandle 4884 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d8b0bb2-11df-40ea-84f6-6d6c900d5f8e} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5064 2ab22332458 tab3⤵PID:4960
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:5220
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:5352
-
C:\Windows\system32\OptionalFeatures.exe"C:\Windows\system32\OptionalFeatures.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5400
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5988
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:5916
-
C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe"NjRat 0.7D Green Edition by im523.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2084 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\Server.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3084
-
-
-
C:\Windows\explorer.exeexplorer2⤵
- Modifies registry class
PID:1852
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
PID:5688
-
C:\Users\Admin\Downloads\Server.exe"C:\Users\Admin\Downloads\Server.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5884 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4084
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6032
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\4492587"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5172
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown -l -t 003⤵
- System Location Discovery: System Language Discovery
PID:4008
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:208
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aa7055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5340
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5528
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD56b5a2c06d34c86bcc8aacc3a739fd362
SHA154fc90eaa12ba9251414e8dac83fdae08819ee42
SHA2561492fc3847a36be51e64ca15fb12b6cc177891495f6409cfe678d88cb2f59b68
SHA512228099efd50e8017eb9e320459bba6c4d40af8c92c1761b58ce35424f7f1bc1c3d4f4d808515ed27570f0e50bdf8945a9f8264806f92c30d2a70a9aa85c444ba
-
Filesize
28KB
MD5a5daddfac8af8059b6f3fd0a43663f7c
SHA19ffc05718a2d669d3d284e5cada0da115620a1ee
SHA256ae216552f6dad3cc4a3754eeb1741785dadbc210ac47ebba29468b60ec2c615b
SHA5121046b1ef70ec37aef21e8aef65f6ce449c50efa5dcff84f46e7a72a353e0b68d2f77ac122bea79c2304b4d7ca1b14a6b2a59d551c1d6a674b69b0b1612a00818
-
Filesize
9KB
MD556016ba703f3e1b5ae1fc2fdf81e5779
SHA1eccc2e6341a5a94546477db2a2eef054cdf3f2dd
SHA25610237c3da0f74fbe3981329ff249021726749fd48a822a1c133cf34d391b8fa0
SHA51288edb4361046bad29d8fcbbce8abb68ef46d132461d375421c5915e5204786cf18d11cc74f646ddeeb045165f9c35ee9ce340a92763dc4f631e41265219c5917
-
Filesize
13KB
MD56bf8133a8ee5e512f68b809ef73bb762
SHA137619b38017884865048232c82710fe26195fb11
SHA256cee86265b4fc2d97b6937de8880f62a6439ee923fabc6de193bee38ad6a3b25f
SHA51276b51aff0d7b2e4a02a50743d1a9093557394d3548952e346e330cc9f765300aa7e8a4f221a417a5c2ca7a37471fe67e5badae27d80e43ae170f2d85ecb418a6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0
Filesize63KB
MD5a14ba3169c7de1fdaeb50cd26288075f
SHA16f50ce7f92e65984bfa4f44718ec05c1bba7f1b7
SHA256954a8e9eedc830c74c91c169586801e5b3d941b2f3faa2153a6825b564ea49c1
SHA5120cbd2766557f2e41b7abf8bab9fc50ba4c0d5ce40e59657d07fd865169321a2a43a15f13b095f45f0ea9fa716d137de585dc99efcdf53f88d6462c52aa531ed9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\549C94847E35BE89DCE95DF86EA39378F22E5078
Filesize99KB
MD545ff06c6bb6852809590eae10225c31a
SHA1303a4d713eb9377d4bea9798a5d2c52317a367b4
SHA25619c09fedddb3209854378e02a025865f29a2d55aa593f50b45dfedafe7b6a809
SHA512ce2ee9087f78601b4e0f528f131c113648d646355904041d5fe53a0fd38f295ee1e18b5a1666ab88dee03d37f6bee4d008a4f88f61ffa4c703361b806443d2b6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\79679B23E6BBEB689E1C79E27C32C20C5EC9DF47
Filesize153KB
MD55536a78b69534713464260d44bc8c5b1
SHA17a560f4fd5aee83ad5c433420f4bcd800f522659
SHA256ecd23fc264a7a338a902c009f1df5a6368eff0a47e5b2f98bc9566c54a55b1d8
SHA512eca3bb97113ea4a1ded95d602120cf70ba075cd81723e63fc1aff16ebabcdefcde962796442f70a779cf9e48195e24b682dec32ad0e9db5d5c16c3c96c56fe09
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55
Filesize39KB
MD507d03bb3ba86582179f2bc2c51329112
SHA1a5915334816a6c3d05c167bf3946bb33317ee483
SHA25635afc51a5fa333e78899b2a4033d0f6b456c3330bb106d977a0aa400bc32a050
SHA51204f748c9335b2651c561ffb8b062674f8794ea3fcc43e684954e75c1269d7817b6d0357adc791124deed40bb6fd7401db10d0ad8ced8fed7062347e98add7d11
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\B08771B6E8690B9A3CB12B3DEC8BFBED017D08C2
Filesize48KB
MD52198806f9bfcdaded9053de76ede8304
SHA1dab93f359cfd3ade7bf88bf66977f71e96dda948
SHA256609ffacf6ff70f04c698cfdc10ce109e0821aa7f23508e1dd11b88a0fe6af09a
SHA512b94eed9685b587cc9b879a743117d9564b7e1eff5b56ba9131409713da11b16c9491cad91d486922fe03d7c953dbf34a64e35cabe3eb6c924a271e42c1b2ec2b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\FDEAA0815DBBE19DF0AB32A1F5FBBAAFEB520D6D
Filesize152KB
MD548fa5b8a586eee857fb0e5b853f479f5
SHA111c76ac411ab5d4f36bf64857d15addd84d30177
SHA2565589a40deec047b7b219588fb08eb3cc63aee7c2b9922e760b0910093dd48a4e
SHA5126a64510aede5b368bbc8e3985a0df9dfbec1b3346a30a52d019ebf7688c4d0febdac2783711cbe2af99a52a1409109ddd2a86b1c7d8c7cdc78470225ab2ce830
-
Filesize
507B
MD56d0e849b0647746facd7c73f03b4d366
SHA13138201a6608428b922bd86168b51cf80615bc91
SHA256c2f229ba47f29fccb6d35a908e887bf97e9e87cdb1110e855d5caa39571e5d72
SHA5123839589f64141ba269f95e2726dd040ee09b6c9c09f5765dcdba847b02f68fa000b588a272f17e73ac42e81b3bb154535dc20da6dce0682b4b3a1ac2daada86a
-
Filesize
399KB
MD547c385042f357d957a4b2221f57f7d02
SHA11fc3134a362877e7b90db5ec629128c31d53e93b
SHA256342c4f96ec107a968d3b2c39eb3176f85904d01c949c83295ce9c644cc65be65
SHA512ea3989c5949978087dcfa106389d098a87a5ddf74bf3d3d723d3fd5bbcd724667ef2d6d31a5d6e96a11d7d36834965cae08e661ba80b7449eec5723a35d15072
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize19KB
MD59ee16192d4424f9c8552254a21b4c15e
SHA1e5afaba231001d5467f1aaaaa023109bdacdee94
SHA256ba91b9c63d97c2afc2704cf3e6549d1b80130b841948ffb488da606a7b3a245e
SHA5127af25a4416eb77898c4974920a887049c5fd49404f69a258703328e81f5003256383ccfabe4e8bbf47e68a7faea95e71418f5c66be6154a66fc862f0ff9e6c92
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5c437ee2bb8cc7173fdcf641806e14927
SHA12caa1134f303abbb29d614fbc9ed83b3944f3b6e
SHA256a1ebf1de97453697b124df734be9014cb6f11690e08f8421efb6d4285fc09f14
SHA5125bd081051a4cc662aa8a8f8bb1384fdbc2abdb75b6a08d720ce472b59b67101d921d3ae6a8e9540cedaa50e214e8445c4d9985b2d595f14db2de4236069259a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\78ea888e-dddb-4ca9-9ce4-eb32b641b54a
Filesize746B
MD5b70703684a41a6e62e6b604eb9db7b98
SHA1b3195250abaaebad3921c0e8965b0ad5b01f6945
SHA256d9fc54d1112e565d0403c4424571abeb4ea54a7dad48e044d54bf2bcff323e50
SHA51278a74469a8e41845585b586d1e810d6313ba5672b9d2a86fbc9a18a8ed3d23718bc0a285f73613af27f185f7f33c6995da61d8b47e81ec48a9473f567c117f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\bcd2a10e-0f24-4629-a084-710ca8d7953a
Filesize10KB
MD58ef0e8df547559a1a366964c97b693d4
SHA143aedc46a05753d509cfbf77b031c4ad6691cd1d
SHA25610325400769ebfd40b4e5594c42e64aa194da774a7005d7e687085b69e4b373c
SHA5120dc75d0199aba6b609b1f659c9e17229aa0fac6005dafed0f593ac979e3805f01903509dca4e3386108481a742e4109bf6ea976ccc281b8fb71990bd93d37b16
-
Filesize
6KB
MD5bc892afdfc136db7bde26db6f99fb75f
SHA1a741b15fe47003522cb80376b9ad2dec9c3f00f4
SHA256d4989fd4208b3e2ae2711a174b2400cd436ea306512e0c0bc527740f294f1750
SHA5121626d45f5ef815e20d4cbc93b42f32a2b45fc743c68b47e390650d349664bba65ec7aebf56b63aa92860a9fae3fdc88b75d91215f26141f9bb0696d28488b5b9
-
Filesize
6KB
MD50afa6b67841ce50f8170005b05fc9532
SHA1d8c24a581404417dce026ec17f97586c84b925ff
SHA2565086b78437d5cfa77e5e5b46a90f4fdc9e23e68348853f786014944a19fc00ed
SHA5128bff87f5e1707be0262696b2f0d01992b84d5a4f5359dc5cf615c9cc9c6dd5204911ed4024b5e689b76953eab8d83c6e91c901196808c35503a2b4784bfc8422
-
Filesize
6KB
MD5b562c3b3cb4ac3bb58ab1208ef020b52
SHA19f745ac0f87179aaaa90effb54e7d9b6d6f7ee6b
SHA2561cef23b11c2e36beda89285a5833c770fc2a47b58d666514e3d72bdee47d4d0c
SHA51225be4f6c32078ba86db64ae141b41ef0d49c6c29784a2d192320db2de51a7d079f8a48867f8d15b530ca3aa79e2b1c9992d0077ae0d1f9c8d12802d7b94ed808
-
Filesize
6KB
MD5af81de880d4d1b1e1ab4860face2c6d4
SHA1dfafeb972c81ec5ec92e1f6684aa876b91df57f4
SHA256debb6f5d407367a5b7473a9116af45754e846a58b60748482dc2884298f4db2d
SHA512cb83228329adb5e55e8e93918c1f262841007da63f810ac354c29b6e064d73fea4b1bce6446dec5b3490ffd7a171faeceda96c08de65fb28d76d6401e18b1728
-
Filesize
6KB
MD52fb7eb0752cd7f04ffe4bffd1dd514bd
SHA1695a4a836e787f76dc2f45f865ff33a640461548
SHA2565b5fb8bb7865759b9fa0c0db67c8de058a6670973d41ec4a0667db5aacc3b7f7
SHA512ce0b0624cfad820397646b469e4ddd659870f48407ac5a21e6122a3fe67022f5a0c8cb89fce0111a7e87b9f605d285a7dbfb396b92dc295635ef4db4379d7d2f
-
Filesize
6KB
MD5f75fb2ce79e49791c2bfe2bf4141500b
SHA18abf4004a82ed4a0d585ca47448a27b6b1804b4c
SHA25605cac9e0192154735b7f141108828e789aebdbd36e5a131bd8dd51933aa7e22c
SHA5127472247f8914aaca12b2a6637512288a7a1693a1c61e1769659beff2ebd3e7f9fc4cb762df7eddca50a1432aec0fc67d6f41c9e876679d418fbb24a4cdb5f86f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD56b77a9f779399e95d1cee931a2c8f8ff
SHA1826efd4feb0d50fcce5696111af7c811b81adcd9
SHA2563a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3
SHA512ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD537f19f50626b822d176a02bb91d05136
SHA138c8bec3d76d70bee63fe91b4cf8a64aca40f76e
SHA256206490a30c2552aaee8ddd4185246d10eb5aa5ef0129f672715f909e8a0f1184
SHA512fd0b5f5159b0de1f94a068dc8f04bfe4d3c50bf309510539dcf33e6c67271ac186b4f098a4bc60447620014169f077e2fef7a658386806a7f1e52144122af25c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD567e183ec935a5d3484857dab5cd3b335
SHA1906b41b764c783cec2089f474a2ed6eac41ec214
SHA256e33afc72b873170e5bba72b3a5d6b835406bdd268de28d740972ec4c15d889c2
SHA51243d02a7ff1724ad7b65ea1031feee66418d3765a9fa79165e7f15a6d74b0af608ef240b3fd9d83c435507163793dd93bb18e55b30d0f7bc6d6916011c4f41397
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD56da2315b81191966fd6ad19c06b7e7dc
SHA132758052d3af291542393b4c52d793d5772ad08a
SHA256e845794af7a81c1701a4345582e98e2fc057bb289bed65b013447e7eeae5441b
SHA5129ef8921ffbebf4a59f32d83057fdbbb08a6117a1efaa5a8c00397e4fae6d891d9fdd4840309b94bba4ebb0689a0b2bda605aa54c3a755c548314561eca7c27af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD578de524fc3ae1b45f4c9e37f614d0d71
SHA18c915e3cd22ebb4a11f47fb4e6786017d7e2e94c
SHA256ee0bd9aeccb9ef9842ce10ce62278d2ebbc39322ebfb0b63036d3173e2d18e43
SHA51261e2c89f6cbc59713a9da07a510462a96b71b15200d2f6ffe50836054bc59e8f68fa2e9e97b393955e282f60645986ad26d0ee9c8288e7232fe254ee8c84b675
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5a44e60f16945e2135a0ba59a8d6a2d5d
SHA1d39873e40eb89c23ba549bb545d9241507f79957
SHA2562d83f2125786eadf07fc0cd2e1d98cf31b357a577e5c4a1638cd5b1aec2f6ddd
SHA5127b0f099cf93b308dbd3f55ebca4cfe5d44cd413b2de4f34ced0a6ab7ec4e58aa92302650885709e6df90e157b148af98745cfe319d69739c9bd9169b26b2e7eb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5390a0ffa9e15996605227dd449247cd9
SHA18d0476324a1196b438766b6e7c038d7a2ca21d4b
SHA2569d45a743fc662142aadd46f1da34eaa86881db39bf36348f247734123388a8ea
SHA512936ac9116655da710b2841bad0a7c7c3ada2bcc618f28fceb8c269eb6bf90844b322a78daa981ec4081c0a393bf541f11488e3e9ed6cf494359f6069f17dd780
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD52c47ab1a32c565c79aed85e721c44796
SHA1e9612c91c2ab942691e21824c56314f69f103e4c
SHA2563e82c53e83aaa5420e78e02edfb837fe74d1b1a6788f82ae8d778f9d4e2d1fb1
SHA512def06272c0139ca383898cdc85d5082f139ff6acb5aaa5d547546788df0f7eea0bc702b52457750d2fb47969e0972cf1546a99b33f1a69bda4d6787ade45a5ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD5f32d3dc8326584e92ed67cf88851e65c
SHA1b6420ab9a7b1ea9231808e1700dad1a3f8f7eaf0
SHA256017b8637a607c13ac32ea8ebbbca0040c40f273950b98fef443a0c96dcde54a2
SHA51251f1b3cad56ab14167f40f2b6a548c7edc055aac201550b0e26e209cc99a189234109073be3238e228e5d6031fb7069e8cd9e33204dea8c1adf474e3db20c6c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD5ae9814c113b5522af80569ca8e453c83
SHA104962fceb6c777d3a92d2b73072539f00e4fe63d
SHA256b83e94b413c2d03b82b45f159188b89f430a320c3d91405191261abf381410fc
SHA512366d918ebaa041ad42d58865f58e066053217416368af5075522551c427bc3a635a1a18c6d138918b68827f8d8fea688788f7548de604a098065e9777fedb28f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD502dee447d337bbe89bc418f575e96a3a
SHA167b88f09c08fa459648246e7f0d671e253451b5d
SHA25639bae9b98e9ef0729d49b0aa18d5f1972d9365e01fb19e670b945ae2d102c5d7
SHA512f56059b9138511df9aaabbc64458fef749bf5cb087db9b059da78966b28d4426d2726b550b3c440f8d9895c71f803ed965c55ba774c4d771f1e684113f1fe6dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
Filesize9KB
MD5d0d6d5858d23928e59fd55c0305bdeaa
SHA1638863dda8f0a4304d7240f297b924159b0ce092
SHA256483586a30d65e353882de37bd2f2bb1bbb1c3353454495ec0c05a6e83709c600
SHA5129be4702f38f33688630aba2afbe3e4372ebf03f72cf3277aee0055ac8c67044e596911b8714ad171ac6a84caebb61241f2cd1e3c15c84f0f6a8eb52fcc8ee172
-
Filesize
2.2MB
MD550f2f742a4dd011360c66fc4999ff4ac
SHA1fb37080d9a2bd2f9aa21f34a507422813eccd756
SHA256db277f8fbda6e0e1c2a20c20643c3590abfdb180aaf668bbc98ae885f3583795
SHA512f67338f4bc6df7834fdcaf9aec461c2fa1480481cce3d2c0fc816952b5d1390cd3c8135c5aa19c5dbefd3ea0c8dba2dca5dd4cf064bf29f68ab0976fc5dd5248
-
Filesize
36KB
MD5f2a5a46496d753345f1b6679acdda5e0
SHA1cac07dd3a9c4a3dff2cb6d3da59a4a627152f78b
SHA256364a3370e92e816de2840b73e563038a4575217a4b2074da36f9e4e57f229350
SHA512921b6eade070d395efe5cbedc50da85dc5fc4b9dc381e8dc1bcb8c016ead76575da3a4f33628e155abae56a66dbd53924216c5b83653260df35f248cc199967e
-
Filesize
2.7MB
MD5269f314b87e6222a20e5f745b6b89783
SHA1b0ca05c12ebb9a3610206bad7f219e02b7873cbd
SHA256c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257
SHA51234c574c78315cb83aac1b763a4f26f978d6c80d8e5bd61b601d16fdce2bccc109f8b46f03fb938a2ff2b9acb4793313f75b15539006e72b827ff7673507e5beb
-
Filesize
15KB
MD54728fa423c11b4cb1cf74e9f9468f749
SHA118f68b2bc477b4c92f968144c98b059ae873ef94
SHA256da1cf09588f89e1fe4fd38a01c0d8e2c8335d0485df4b022211e37418de9f9e5
SHA5123151ed467dee808936e49133345a79943ba19aa4d7a85fc74955d752fc83010051f3ca176abf8c75b5f90183b718d54bdbb264f4cad49867de254c1010118c05