Analysis Overview
SHA256
4c3fad8ea837861fe54356ad6e7e40cce2fe305b9cb323f07d8802c93a440b70
Threat Level: Known bad
The file NocturneLoader.bin was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Executes dropped EXE
Uses the VBS compiler for execution
Drops startup file
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Adds Run key to start application
Suspicious use of SetThreadContext
UPX packed file
Drops autorun.inf file
Subvert Trust Controls: Mark-of-the-Web Bypass
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Kills process with taskkill
Checks processor information in registry
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 09:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 09:56
Reported
2024-10-08 10:03
Platform
win10-20240404-en
Max time kernel
386s
Max time network
386s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\984559f52d4087243e95e5ad9bb48e8d.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\984559f52d4087243e95e5ad9bb48e8d.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\dotNetFx35setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\984559f52d4087243e95e5ad9bb48e8d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\984559f52d4087243e95e5ad9bb48e8d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | D:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5884 set thread context of 5172 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\dotNetFx35setup.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\dotNetFx35setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\NodeSlot = "5" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 = 90003100000000004859784f10004e4a524154307e312e3744470000740009000400efbe4859784f4859784f2e000000a9ab0100000008000000000000000000000000000000526e38004e006a00520061007400200030002e0037004400200047007200650065006e002000450064006900740069006f006e00200062007900200069006d0035003200330000001c000000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\MRUListEx = ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\NodeSlot = "6" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1 = 14002e8005398e082303024b98265d99428e115f0000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 90003100000000004859784f10004e4a524154307e312e3744470000740009000400efbe4859784f4859784f2e000000a7ab0100000008000000000000000000000000000000d7bf47004e006a00520061007400200030002e0037004400200047007200650065006e002000450064006900740069006f006e00200062007900200069006d0035003200330000001c000000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 9e003100000000004859784f10004e4a5241542d7e312e37442d0000820009000400efbe4859784f4859784f2e0000004ea1010000000300000000000000000000000000000008224a004e006a005200610074002d0030002e00370044002d0047007200650065006e002d00450064006900740069006f006e002d00620079002d0069006d003500320033002d006d006100730074006500720000001c000000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\dotNetFx35setup.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\NjRat-0.7D-Green-Edition-by-im523-master.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OptionalFeatures.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe
"C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\NocturneLoader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.0.1811862586\846525327" -parentBuildID 20221007134813 -prefsHandle 1748 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b495f21a-4434-4ac2-a539-db2d1b45c24f} 780 "\\.\pipe\gecko-crash-server-pipe.780" 1828 2ab1d8d7a58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.1.560869547\518342937" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4ede8d8-9780-43f6-8e4a-f5750f300dee} 780 "\\.\pipe\gecko-crash-server-pipe.780" 2184 2ab1d8b9d58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.2.996990159\1995291789" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2856 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3d3e344-a542-4b4d-8b9b-01ec794c3dab} 780 "\\.\pipe\gecko-crash-server-pipe.780" 2872 2ab1d85aa58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.3.759991510\769022317" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3616 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cec9445-ec71-49af-bab8-d29879b706cd} 780 "\\.\pipe\gecko-crash-server-pipe.780" 3640 2ab12b67e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.4.990238164\378739760" -childID 3 -isForBrowser -prefsHandle 4036 -prefMapHandle 4032 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {261c1900-0fa7-4f8e-b7df-a5bbe6c71f4b} 780 "\\.\pipe\gecko-crash-server-pipe.780" 4048 2ab23396258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.5.99984836\67731113" -childID 4 -isForBrowser -prefsHandle 1524 -prefMapHandle 4616 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d8f989b-b3ac-407c-9ca3-d75dc54ea165} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5044 2ab203cef58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.6.619234961\517638514" -childID 5 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9fb9878-f673-44f5-b759-74608fec48d9} 780 "\\.\pipe\gecko-crash-server-pipe.780" 4800 2ab24422658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.7.848441975\2093024084" -childID 6 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {812f7634-7073-4bd5-a6ae-459b5c7eb8ea} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5296 2ab250d2058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.8.821937443\1380851066" -childID 7 -isForBrowser -prefsHandle 5664 -prefMapHandle 5332 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db784e0d-354a-409a-874a-a3504d3b5b38} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5672 2ab262b7e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.9.1804704977\1095433700" -childID 8 -isForBrowser -prefsHandle 4164 -prefMapHandle 4168 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d9efe54-6eba-4bf9-8e20-18c1ee1a9d2e} 780 "\\.\pipe\gecko-crash-server-pipe.780" 1664 2ab26558b58 tab
C:\Users\Admin\Downloads\dotNetFx35setup.exe
"C:\Users\Admin\Downloads\dotNetFx35setup.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\OptionalFeatures.exe
"C:\Windows\system32\OptionalFeatures.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.10.259720370\1145899561" -childID 9 -isForBrowser -prefsHandle 1628 -prefMapHandle 4816 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea97ce77-fb99-41ba-b5c5-5a810dccabea} 780 "\\.\pipe\gecko-crash-server-pipe.780" 4216 2ab1f51ff58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.11.290450059\1366764480" -childID 10 -isForBrowser -prefsHandle 5264 -prefMapHandle 5248 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5598e857-b855-42a2-8418-0f12bfba4b00} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5236 2ab25e9e658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.12.1761787092\426501069" -childID 11 -isForBrowser -prefsHandle 6796 -prefMapHandle 6828 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58fa037a-df6d-47a9-979a-fd7387ffd8a5} 780 "\\.\pipe\gecko-crash-server-pipe.780" 6756 2ab1f4f3858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.13.446233759\1109011766" -childID 12 -isForBrowser -prefsHandle 4784 -prefMapHandle 4884 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d8b0bb2-11df-40ea-84f6-6d6c900d5f8e} 780 "\\.\pipe\gecko-crash-server-pipe.780" 5064 2ab22332458 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\Desktop\NjRat-0.7D-Green-Edition-by-im523-master\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523\NjRat 0.7D Green Edition by im523.exe
"NjRat 0.7D Green Edition by im523.exe"
C:\Windows\explorer.exe
explorer
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Downloads\Server.exe"
C:\Users\Admin\Downloads\Server.exe
"C:\Users\Admin\Downloads\Server.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Exsample.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\4492587"
C:\Windows\SysWOW64\shutdown.exe
shutdown -l -t 00
C:\Windows\SysWOW64\shutdown.exe
shutdown -s -t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa7055 /state1:0x41c64e6d
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49760 | tcp | |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.148.238.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:49767 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 36.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | 194.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.209:443 | csp.withgoogle.com | tcp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| GB | 142.250.187.209:443 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | 209.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 216.58.204.78:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 216.58.204.78:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 216.58.204.78:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 216.58.204.78:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | e13678.dscb.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e13678.dscb.akamaiedge.net | udp |
| US | 8.8.8.8:53 | 133.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | cdn-dynmedia-1.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | mem.gfx.ms | udp |
| GB | 2.23.205.233:443 | c.s-microsoft.com | tcp |
| GB | 2.23.205.233:443 | c.s-microsoft.com | tcp |
| GB | 2.23.205.233:443 | c.s-microsoft.com | tcp |
| GB | 2.23.205.233:443 | c.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | e13678.dscg.akamaiedge.net | udp |
| GB | 2.23.205.233:443 | e13678.dscg.akamaiedge.net | tcp |
| US | 8.8.8.8:53 | a1449.dscg2.akamai.net | udp |
| GB | 95.100.104.6:443 | cdn-dynmedia-1.microsoft.com | tcp |
| GB | 95.100.104.6:443 | cdn-dynmedia-1.microsoft.com | tcp |
| US | 8.8.8.8:53 | e81481.dsca.akamaiedge.net | udp |
| GB | 95.100.104.6:443 | e81481.dsca.akamaiedge.net | tcp |
| US | 13.107.246.64:443 | mem.gfx.ms | tcp |
| US | 13.107.246.64:443 | mem.gfx.ms | tcp |
| US | 8.8.8.8:53 | e13678.dscg.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a1449.dscg2.akamai.net | udp |
| US | 8.8.8.8:53 | e81481.dsca.akamaiedge.net | udp |
| US | 8.8.8.8:53 | s-part-0036.t-0009.t-msedge.net | udp |
| US | 8.8.8.8:53 | s-part-0036.t-0009.t-msedge.net | udp |
| US | 8.8.8.8:53 | 233.205.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.104.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | assets.onestore.ms | udp |
| GB | 184.87.176.59:443 | assets.onestore.ms | tcp |
| US | 8.8.8.8:53 | e10583.dspg.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e10583.dspg.akamaiedge.net | udp |
| US | 8.8.8.8:53 | 59.176.87.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.microsoft.com | udp |
| GB | 2.23.221.208:443 | download.microsoft.com | tcp |
| US | 8.8.8.8:53 | e12671.dscd.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e12671.dscd.akamaiedge.net | udp |
| US | 8.8.8.8:53 | 208.221.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 142.250.179.227:443 | id.google.com | tcp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 142.250.187.209:443 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 142.250.179.227:443 | id.google.com | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| GB | 216.58.212.206:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 216.58.212.206:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 216.58.212.206:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 216.58.212.206:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 216.58.212.206:443 | encrypted-tbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| GB | 216.58.212.206:443 | encrypted-tbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| GB | 216.58.212.206:443 | encrypted-tbn0.gstatic.com | udp |
| GB | 216.58.204.78:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | 206.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 185.199.111.133:443 | gist.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mrpirate.net | udp |
| US | 103.224.212.216:443 | mrpirate.net | tcp |
| US | 8.8.8.8:53 | mrpirate.net | udp |
| US | 8.8.8.8:53 | mrpirate.net | udp |
| US | 8.8.8.8:53 | ww25.mrpirate.net | udp |
| US | 199.59.243.227:80 | ww25.mrpirate.net | tcp |
| US | 8.8.8.8:53 | 77026.bodis.com | udp |
| US | 8.8.8.8:53 | 77026.bodis.com | udp |
| US | 8.8.8.8:53 | 216.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
| GB | 142.250.200.36:443 | www.google.com | udp |
| US | 8.8.8.8:53 | partner.googleadservices.com | udp |
| US | 8.8.8.8:53 | syndicatedsearch.goog | udp |
| US | 8.8.8.8:53 | partner.googleadservices.com | udp |
| GB | 216.58.204.66:443 | partner.googleadservices.com | tcp |
| US | 8.8.8.8:53 | syndicatedsearch.goog | udp |
| GB | 142.250.187.238:443 | syndicatedsearch.goog | tcp |
| US | 8.8.8.8:53 | partner.googleadservices.com | udp |
| US | 8.8.8.8:53 | syndicatedsearch.goog | udp |
| GB | 216.58.204.66:443 | partner.googleadservices.com | udp |
| GB | 142.250.187.238:443 | syndicatedsearch.goog | udp |
| US | 8.8.8.8:53 | 66.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | afs.googleusercontent.com | udp |
| GB | 142.250.187.193:443 | afs.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | googlehosted.l.googleusercontent.com | udp |
| GB | 142.250.187.193:443 | googlehosted.l.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | googlehosted.l.googleusercontent.com | udp |
| GB | 142.250.187.193:443 | googlehosted.l.googleusercontent.com | udp |
| US | 8.8.8.8:53 | 193.187.250.142.in-addr.arpa | udp |
| GB | 216.58.212.206:443 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| GB | 142.250.179.227:443 | id.google.com | udp |
| GB | 142.250.187.209:443 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 216.58.204.78:443 | play.google.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | gist.githubusercontent.com | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| US | 8.8.8.8:53 | 216.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:5552 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\78ea888e-dddb-4ca9-9ce4-eb32b641b54a
| MD5 | b70703684a41a6e62e6b604eb9db7b98 |
| SHA1 | b3195250abaaebad3921c0e8965b0ad5b01f6945 |
| SHA256 | d9fc54d1112e565d0403c4424571abeb4ea54a7dad48e044d54bf2bcff323e50 |
| SHA512 | 78a74469a8e41845585b586d1e810d6313ba5672b9d2a86fbc9a18a8ed3d23718bc0a285f73613af27f185f7f33c6995da61d8b47e81ec48a9473f567c117f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\pending_pings\bcd2a10e-0f24-4629-a084-710ca8d7953a
| MD5 | 8ef0e8df547559a1a366964c97b693d4 |
| SHA1 | 43aedc46a05753d509cfbf77b031c4ad6691cd1d |
| SHA256 | 10325400769ebfd40b4e5594c42e64aa194da774a7005d7e687085b69e4b373c |
| SHA512 | 0dc75d0199aba6b609b1f659c9e17229aa0fac6005dafed0f593ac979e3805f01903509dca4e3386108481a742e4109bf6ea976ccc281b8fb71990bd93d37b16 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\datareporting\glean\db\data.safe.bin
| MD5 | c437ee2bb8cc7173fdcf641806e14927 |
| SHA1 | 2caa1134f303abbb29d614fbc9ed83b3944f3b6e |
| SHA256 | a1ebf1de97453697b124df734be9014cb6f11690e08f8421efb6d4285fc09f14 |
| SHA512 | 5bd081051a4cc662aa8a8f8bb1384fdbc2abdb75b6a08d720ce472b59b67101d921d3ae6a8e9540cedaa50e214e8445c4d9985b2d595f14db2de4236069259a4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
| MD5 | af81de880d4d1b1e1ab4860face2c6d4 |
| SHA1 | dfafeb972c81ec5ec92e1f6684aa876b91df57f4 |
| SHA256 | debb6f5d407367a5b7473a9116af45754e846a58b60748482dc2884298f4db2d |
| SHA512 | cb83228329adb5e55e8e93918c1f262841007da63f810ac354c29b6e064d73fea4b1bce6446dec5b3490ffd7a171faeceda96c08de65fb28d76d6401e18b1728 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
| MD5 | 2fb7eb0752cd7f04ffe4bffd1dd514bd |
| SHA1 | 695a4a836e787f76dc2f45f865ff33a640461548 |
| SHA256 | 5b5fb8bb7865759b9fa0c0db67c8de058a6670973d41ec4a0667db5aacc3b7f7 |
| SHA512 | ce0b0624cfad820397646b469e4ddd659870f48407ac5a21e6122a3fe67022f5a0c8cb89fce0111a7e87b9f605d285a7dbfb396b92dc295635ef4db4379d7d2f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 67e183ec935a5d3484857dab5cd3b335 |
| SHA1 | 906b41b764c783cec2089f474a2ed6eac41ec214 |
| SHA256 | e33afc72b873170e5bba72b3a5d6b835406bdd268de28d740972ec4c15d889c2 |
| SHA512 | 43d02a7ff1724ad7b65ea1031feee66418d3765a9fa79165e7f15a6d74b0af608ef240b3fd9d83c435507163793dd93bb18e55b30d0f7bc6d6916011c4f41397 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\17740
| MD5 | 56016ba703f3e1b5ae1fc2fdf81e5779 |
| SHA1 | eccc2e6341a5a94546477db2a2eef054cdf3f2dd |
| SHA256 | 10237c3da0f74fbe3981329ff249021726749fd48a822a1c133cf34d391b8fa0 |
| SHA512 | 88edb4361046bad29d8fcbbce8abb68ef46d132461d375421c5915e5204786cf18d11cc74f646ddeeb045165f9c35ee9ce340a92763dc4f631e41265219c5917 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a44e60f16945e2135a0ba59a8d6a2d5d |
| SHA1 | d39873e40eb89c23ba549bb545d9241507f79957 |
| SHA256 | 2d83f2125786eadf07fc0cd2e1d98cf31b357a577e5c4a1638cd5b1aec2f6ddd |
| SHA512 | 7b0f099cf93b308dbd3f55ebca4cfe5d44cd413b2de4f34ced0a6ab7ec4e58aa92302650885709e6df90e157b148af98745cfe319d69739c9bd9169b26b2e7eb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | 0afa6b67841ce50f8170005b05fc9532 |
| SHA1 | d8c24a581404417dce026ec17f97586c84b925ff |
| SHA256 | 5086b78437d5cfa77e5e5b46a90f4fdc9e23e68348853f786014944a19fc00ed |
| SHA512 | 8bff87f5e1707be0262696b2f0d01992b84d5a4f5359dc5cf615c9cc9c6dd5204911ed4024b5e689b76953eab8d83c6e91c901196808c35503a2b4784bfc8422 |
C:\Users\Admin\Downloads\dotNetFx35setup.lrtpX9MC.exe.part
| MD5 | 4728fa423c11b4cb1cf74e9f9468f749 |
| SHA1 | 18f68b2bc477b4c92f968144c98b059ae873ef94 |
| SHA256 | da1cf09588f89e1fe4fd38a01c0d8e2c8335d0485df4b022211e37418de9f9e5 |
| SHA512 | 3151ed467dee808936e49133345a79943ba19aa4d7a85fc74955d752fc83010051f3ca176abf8c75b5f90183b718d54bdbb264f4cad49867de254c1010118c05 |
C:\Users\Admin\Downloads\dotNetFx35setup.exe
| MD5 | 269f314b87e6222a20e5f745b6b89783 |
| SHA1 | b0ca05c12ebb9a3610206bad7f219e02b7873cbd |
| SHA256 | c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257 |
| SHA512 | 34c574c78315cb83aac1b763a4f26f978d6c80d8e5bd61b601d16fdce2bccc109f8b46f03fb938a2ff2b9acb4793313f75b15539006e72b827ff7673507e5beb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6da2315b81191966fd6ad19c06b7e7dc |
| SHA1 | 32758052d3af291542393b4c52d793d5772ad08a |
| SHA256 | e845794af7a81c1701a4345582e98e2fc057bb289bed65b013447e7eeae5441b |
| SHA512 | 9ef8921ffbebf4a59f32d83057fdbbb08a6117a1efaa5a8c00397e4fae6d891d9fdd4840309b94bba4ebb0689a0b2bda605aa54c3a755c548314561eca7c27af |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 2c47ab1a32c565c79aed85e721c44796 |
| SHA1 | e9612c91c2ab942691e21824c56314f69f103e4c |
| SHA256 | 3e82c53e83aaa5420e78e02edfb837fe74d1b1a6788f82ae8d778f9d4e2d1fb1 |
| SHA512 | def06272c0139ca383898cdc85d5082f139ff6acb5aaa5d547546788df0f7eea0bc702b52457750d2fb47969e0972cf1546a99b33f1a69bda4d6787ade45a5ac |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 78de524fc3ae1b45f4c9e37f614d0d71 |
| SHA1 | 8c915e3cd22ebb4a11f47fb4e6786017d7e2e94c |
| SHA256 | ee0bd9aeccb9ef9842ce10ce62278d2ebbc39322ebfb0b63036d3173e2d18e43 |
| SHA512 | 61e2c89f6cbc59713a9da07a510462a96b71b15200d2f6ffe50836054bc59e8f68fa2e9e97b393955e282f60645986ad26d0ee9c8288e7232fe254ee8c84b675 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
| MD5 | f75fb2ce79e49791c2bfe2bf4141500b |
| SHA1 | 8abf4004a82ed4a0d585ca47448a27b6b1804b4c |
| SHA256 | 05cac9e0192154735b7f141108828e789aebdbd36e5a131bd8dd51933aa7e22c |
| SHA512 | 7472247f8914aaca12b2a6637512288a7a1693a1c61e1769659beff2ebd3e7f9fc4cb762df7eddca50a1432aec0fc67d6f41c9e876679d418fbb24a4cdb5f86f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | ae9814c113b5522af80569ca8e453c83 |
| SHA1 | 04962fceb6c777d3a92d2b73072539f00e4fe63d |
| SHA256 | b83e94b413c2d03b82b45f159188b89f430a320c3d91405191261abf381410fc |
| SHA512 | 366d918ebaa041ad42d58865f58e066053217416368af5075522551c427bc3a635a1a18c6d138918b68827f8d8fea688788f7548de604a098065e9777fedb28f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\doomed\23681
| MD5 | 6bf8133a8ee5e512f68b809ef73bb762 |
| SHA1 | 37619b38017884865048232c82710fe26195fb11 |
| SHA256 | cee86265b4fc2d97b6937de8880f62a6439ee923fabc6de193bee38ad6a3b25f |
| SHA512 | 76b51aff0d7b2e4a02a50743d1a9093557394d3548952e346e330cc9f765300aa7e8a4f221a417a5c2ca7a37471fe67e5badae27d80e43ae170f2d85ecb418a6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 390a0ffa9e15996605227dd449247cd9 |
| SHA1 | 8d0476324a1196b438766b6e7c038d7a2ca21d4b |
| SHA256 | 9d45a743fc662142aadd46f1da34eaa86881db39bf36348f247734123388a8ea |
| SHA512 | 936ac9116655da710b2841bad0a7c7c3ada2bcc618f28fceb8c269eb6bf90844b322a78daa981ec4081c0a393bf541f11488e3e9ed6cf494359f6069f17dd780 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 02dee447d337bbe89bc418f575e96a3a |
| SHA1 | 67b88f09c08fa459648246e7f0d671e253451b5d |
| SHA256 | 39bae9b98e9ef0729d49b0aa18d5f1972d9365e01fb19e670b945ae2d102c5d7 |
| SHA512 | f56059b9138511df9aaabbc64458fef749bf5cb087db9b059da78966b28d4426d2726b550b3c440f8d9895c71f803ed965c55ba774c4d771f1e684113f1fe6dd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\FDEAA0815DBBE19DF0AB32A1F5FBBAAFEB520D6D
| MD5 | 48fa5b8a586eee857fb0e5b853f479f5 |
| SHA1 | 11c76ac411ab5d4f36bf64857d15addd84d30177 |
| SHA256 | 5589a40deec047b7b219588fb08eb3cc63aee7c2b9922e760b0910093dd48a4e |
| SHA512 | 6a64510aede5b368bbc8e3985a0df9dfbec1b3346a30a52d019ebf7688c4d0febdac2783711cbe2af99a52a1409109ddd2a86b1c7d8c7cdc78470225ab2ce830 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\B08771B6E8690B9A3CB12B3DEC8BFBED017D08C2
| MD5 | 2198806f9bfcdaded9053de76ede8304 |
| SHA1 | dab93f359cfd3ade7bf88bf66977f71e96dda948 |
| SHA256 | 609ffacf6ff70f04c698cfdc10ce109e0821aa7f23508e1dd11b88a0fe6af09a |
| SHA512 | b94eed9685b587cc9b879a743117d9564b7e1eff5b56ba9131409713da11b16c9491cad91d486922fe03d7c953dbf34a64e35cabe3eb6c924a271e42c1b2ec2b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0
| MD5 | a14ba3169c7de1fdaeb50cd26288075f |
| SHA1 | 6f50ce7f92e65984bfa4f44718ec05c1bba7f1b7 |
| SHA256 | 954a8e9eedc830c74c91c169586801e5b3d941b2f3faa2153a6825b564ea49c1 |
| SHA512 | 0cbd2766557f2e41b7abf8bab9fc50ba4c0d5ce40e59657d07fd865169321a2a43a15f13b095f45f0ea9fa716d137de585dc99efcdf53f88d6462c52aa531ed9 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\549C94847E35BE89DCE95DF86EA39378F22E5078
| MD5 | 45ff06c6bb6852809590eae10225c31a |
| SHA1 | 303a4d713eb9377d4bea9798a5d2c52317a367b4 |
| SHA256 | 19c09fedddb3209854378e02a025865f29a2d55aa593f50b45dfedafe7b6a809 |
| SHA512 | ce2ee9087f78601b4e0f528f131c113648d646355904041d5fe53a0fd38f295ee1e18b5a1666ab88dee03d37f6bee4d008a4f88f61ffa4c703361b806443d2b6 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\79679B23E6BBEB689E1C79E27C32C20C5EC9DF47
| MD5 | 5536a78b69534713464260d44bc8c5b1 |
| SHA1 | 7a560f4fd5aee83ad5c433420f4bcd800f522659 |
| SHA256 | ecd23fc264a7a338a902c009f1df5a6368eff0a47e5b2f98bc9566c54a55b1d8 |
| SHA512 | eca3bb97113ea4a1ded95d602120cf70ba075cd81723e63fc1aff16ebabcdefcde962796442f70a779cf9e48195e24b682dec32ad0e9db5d5c16c3c96c56fe09 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\je1358xf.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55
| MD5 | 07d03bb3ba86582179f2bc2c51329112 |
| SHA1 | a5915334816a6c3d05c167bf3946bb33317ee483 |
| SHA256 | 35afc51a5fa333e78899b2a4033d0f6b456c3330bb106d977a0aa400bc32a050 |
| SHA512 | 04f748c9335b2651c561ffb8b062674f8794ea3fcc43e684954e75c1269d7817b6d0357adc791124deed40bb6fd7401db10d0ad8ced8fed7062347e98add7d11 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f32d3dc8326584e92ed67cf88851e65c |
| SHA1 | b6420ab9a7b1ea9231808e1700dad1a3f8f7eaf0 |
| SHA256 | 017b8637a607c13ac32ea8ebbbca0040c40f273950b98fef443a0c96dcde54a2 |
| SHA512 | 51f1b3cad56ab14167f40f2b6a548c7edc055aac201550b0e26e209cc99a189234109073be3238e228e5d6031fb7069e8cd9e33204dea8c1adf474e3db20c6c9 |
C:\Users\Admin\Downloads\NjRat-0.g6wlkQIz.7D-Green-Edition-by-im523-master.zip.part
| MD5 | 50f2f742a4dd011360c66fc4999ff4ac |
| SHA1 | fb37080d9a2bd2f9aa21f34a507422813eccd756 |
| SHA256 | db277f8fbda6e0e1c2a20c20643c3590abfdb180aaf668bbc98ae885f3583795 |
| SHA512 | f67338f4bc6df7834fdcaf9aec461c2fa1480481cce3d2c0fc816952b5d1390cd3c8135c5aa19c5dbefd3ea0c8dba2dca5dd4cf064bf29f68ab0976fc5dd5248 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 37f19f50626b822d176a02bb91d05136 |
| SHA1 | 38c8bec3d76d70bee63fe91b4cf8a64aca40f76e |
| SHA256 | 206490a30c2552aaee8ddd4185246d10eb5aa5ef0129f672715f909e8a0f1184 |
| SHA512 | fd0b5f5159b0de1f94a068dc8f04bfe4d3c50bf309510539dcf33e6c67271ac186b4f098a4bc60447620014169f077e2fef7a658386806a7f1e52144122af25c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
| MD5 | 9ee16192d4424f9c8552254a21b4c15e |
| SHA1 | e5afaba231001d5467f1aaaaa023109bdacdee94 |
| SHA256 | ba91b9c63d97c2afc2704cf3e6549d1b80130b841948ffb488da606a7b3a245e |
| SHA512 | 7af25a4416eb77898c4974920a887049c5fd49404f69a258703328e81f5003256383ccfabe4e8bbf47e68a7faea95e71418f5c66be6154a66fc862f0ff9e6c92 |
C:\Users\Admin\AppData\Local\Temp\stub.il
| MD5 | 47c385042f357d957a4b2221f57f7d02 |
| SHA1 | 1fc3134a362877e7b90db5ec629128c31d53e93b |
| SHA256 | 342c4f96ec107a968d3b2c39eb3176f85904d01c949c83295ce9c644cc65be65 |
| SHA512 | ea3989c5949978087dcfa106389d098a87a5ddf74bf3d3d723d3fd5bbcd724667ef2d6d31a5d6e96a11d7d36834965cae08e661ba80b7449eec5723a35d15072 |
C:\Users\Admin\Downloads\Server.exe
| MD5 | f2a5a46496d753345f1b6679acdda5e0 |
| SHA1 | cac07dd3a9c4a3dff2cb6d3da59a4a627152f78b |
| SHA256 | 364a3370e92e816de2840b73e563038a4575217a4b2074da36f9e4e57f229350 |
| SHA512 | 921b6eade070d395efe5cbedc50da85dc5fc4b9dc381e8dc1bcb8c016ead76575da3a4f33628e155abae56a66dbd53924216c5b83653260df35f248cc199967e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
| MD5 | 6b5a2c06d34c86bcc8aacc3a739fd362 |
| SHA1 | 54fc90eaa12ba9251414e8dac83fdae08819ee42 |
| SHA256 | 1492fc3847a36be51e64ca15fb12b6cc177891495f6409cfe678d88cb2f59b68 |
| SHA512 | 228099efd50e8017eb9e320459bba6c4d40af8c92c1761b58ce35424f7f1bc1c3d4f4d808515ed27570f0e50bdf8945a9f8264806f92c30d2a70a9aa85c444ba |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | a5daddfac8af8059b6f3fd0a43663f7c |
| SHA1 | 9ffc05718a2d669d3d284e5cada0da115620a1ee |
| SHA256 | ae216552f6dad3cc4a3754eeb1741785dadbc210ac47ebba29468b60ec2c615b |
| SHA512 | 1046b1ef70ec37aef21e8aef65f6ce449c50efa5dcff84f46e7a72a353e0b68d2f77ac122bea79c2304b4d7ca1b14a6b2a59d551c1d6a674b69b0b1612a00818 |
memory/5172-1070-0x0000000000400000-0x0000000000472000-memory.dmp
memory/5172-1071-0x0000000000400000-0x0000000000472000-memory.dmp
memory/5172-1072-0x0000000000400000-0x0000000000472000-memory.dmp
memory/5172-1077-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4492587
| MD5 | 6d0e849b0647746facd7c73f03b4d366 |
| SHA1 | 3138201a6608428b922bd86168b51cf80615bc91 |
| SHA256 | c2f229ba47f29fccb6d35a908e887bf97e9e87cdb1110e855d5caa39571e5d72 |
| SHA512 | 3839589f64141ba269f95e2726dd040ee09b6c9c09f5765dcdba847b02f68fa000b588a272f17e73ac42e81b3bb154535dc20da6dce0682b4b3a1ac2daada86a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionCheckpoints.json.tmp
| MD5 | 6b77a9f779399e95d1cee931a2c8f8ff |
| SHA1 | 826efd4feb0d50fcce5696111af7c811b81adcd9 |
| SHA256 | 3a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3 |
| SHA512 | ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs.js
| MD5 | b562c3b3cb4ac3bb58ab1208ef020b52 |
| SHA1 | 9f745ac0f87179aaaa90effb54e7d9b6d6f7ee6b |
| SHA256 | 1cef23b11c2e36beda89285a5833c770fc2a47b58d666514e3d72bdee47d4d0c |
| SHA512 | 25be4f6c32078ba86db64ae141b41ef0d49c6c29784a2d192320db2de51a7d079f8a48867f8d15b530ca3aa79e2b1c9992d0077ae0d1f9c8d12802d7b94ed808 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\sessionstore.jsonlz4
| MD5 | d0d6d5858d23928e59fd55c0305bdeaa |
| SHA1 | 638863dda8f0a4304d7240f297b924159b0ce092 |
| SHA256 | 483586a30d65e353882de37bd2f2bb1bbb1c3353454495ec0c05a6e83709c600 |
| SHA512 | 9be4702f38f33688630aba2afbe3e4372ebf03f72cf3277aee0055ac8c67044e596911b8714ad171ac6a84caebb61241f2cd1e3c15c84f0f6a8eb52fcc8ee172 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\je1358xf.default-release\prefs-1.js
| MD5 | bc892afdfc136db7bde26db6f99fb75f |
| SHA1 | a741b15fe47003522cb80376b9ad2dec9c3f00f4 |
| SHA256 | d4989fd4208b3e2ae2711a174b2400cd436ea306512e0c0bc527740f294f1750 |
| SHA512 | 1626d45f5ef815e20d4cbc93b42f32a2b45fc743c68b47e390650d349664bba65ec7aebf56b63aa92860a9fae3fdc88b75d91215f26141f9bb0696d28488b5b9 |