njrat | 4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414

Analysis

max time kernel
896s
max time network
570s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
21/03/2025, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload1234.exe
Size

54KB
MD5

036b3d9a4d952a24395e7bb611c343fc
SHA1

c22e1bd6a08cb355af0916d071c1bca492b71948
SHA256

4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414
SHA512

2a0e6508fba8adec93929db094e664b252cfa635694a7d2e72c4b7d3ba2be6d30c37e5de17559dd728fdeda27fd5f843247a197339255b1d2c178dea34c6652b
SSDEEP

768:GmAQsCB2EsltNnVpladJr3N8JSNGExWQG35bmaePD5Pv42XXJdxIEpmJg:GmJtGtNnpabrmGGWWQcGD/X3xIEpmJg

Score

10^/10

njrat ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Njrat family
njrat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 23 IoCs

pid	Process
1728	ad07833249454f2fbb4e5ffebb25b9b9.exe
6052	b8291a88dd6e488392af53d69b63c3ae.exe
3984	erroricons.exe
5912	INVERS.exe
4924	crazywarningicons.exe
3124	crazyinvers.exe
4576	erroriconscursor.exe
5428	toonel.exe
348	615926700efd46a2babefaefeb1900b4.exe
3584	a6c9aa07b604486fb5ea747f13141abb.exe
5388	a6c9aa07b604486fb5ea747f13141abbSrv.exe
2136	6e4774ae0ebc4c3fbf17d57912f1dabe.exe
5956	2989bd2c9501465eafeb2894aac53503.exe
1320	e647b426f46a4275938edb7cb9515a54.exe
4428	2d4b6976b29e4ec7932e8eb085d4e7b0.exe
2096	17b831c32da242d381233584e6a70bbb.exe
5888	02b62af6c3ac4f63a1b915eb3f25ffb2.exe
1332	ec955a7b12b04f4fa5beec1c4910fbb7.exe
5484	aa1ada8074a5432fafa39bc2c4381bf7.exe
2896	ed9b8ca7aabc423ea52dc3e30f777055.exe
2392	257a30b2ddbe4b06bf8c4fbaddeebad6.exe
2720	db063e60fd50451f83aa5a0bad8e5941.exe
4536	b369b16c5f314cc092ff9d3918a2da35.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b28f-664.dat	upx
behavioral1/memory/3584-668-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/files/0x001900000002b292-671.dat	upx
behavioral1/memory/5388-672-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/5388-674-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3584-681-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2924	5388	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8291a88dd6e488392af53d69b63c3ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6c9aa07b604486fb5ea747f13141abb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e4774ae0ebc4c3fbf17d57912f1dabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad07833249454f2fbb4e5ffebb25b9b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6c9aa07b604486fb5ea747f13141abbSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b369b16c5f314cc092ff9d3918a2da35.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5188	cmd.exe
5840	PING.EXE

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1678082226-3994841222-899489560-1000\{D05B473D-0E29-475A-81E0-84D8E9D13308}	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5840	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4988	vlc.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe
5764	Payload1234.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4988	vlc.exe
3584	a6c9aa07b604486fb5ea747f13141abb.exe
5764	Payload1234.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: SeDebugPrivilege	5736	firefox.exe
Token: SeDebugPrivilege	5736	firefox.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: SeShutdownPrivilege	5420	WScript.exe
Token: SeCreatePagefilePrivilege	5420	WScript.exe
Token: 33	3652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3652	AUDIODG.EXE
Token: SeShutdownPrivilege	5420	WScript.exe
Token: SeCreatePagefilePrivilege	5420	WScript.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5764	Payload1234.exe
Token: 33	5764	Payload1234.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
5736	firefox.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4536	b369b16c5f314cc092ff9d3918a2da35.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5736	firefox.exe
4988	vlc.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4904	AcroRd32.exe
4536	b369b16c5f314cc092ff9d3918a2da35.exe
4536	b369b16c5f314cc092ff9d3918a2da35.exe
4536	b369b16c5f314cc092ff9d3918a2da35.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5076 wrote to memory of 5736	5076	firefox.exe	82
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 3728	5736	firefox.exe	83
PID 5736 wrote to memory of 5256	5736	firefox.exe	84
PID 5736 wrote to memory of 5256	5736	firefox.exe	84
PID 5736 wrote to memory of 5256	5736	firefox.exe	84
PID 5736 wrote to memory of 5256	5736	firefox.exe	84
PID 5736 wrote to memory of 5256	5736	firefox.exe	84
PID 5736 wrote to memory of 5256	5736	firefox.exe	84
PID 5736 wrote to memory of 5256	5736	firefox.exe	84
PID 5736 wrote to memory of 5256	5736	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Payload1234.exe
"C:\Users\Admin\AppData\Local\Temp\Payload1234.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5764
- C:\Users\Admin\AppData\Local\Temp\ad07833249454f2fbb4e5ffebb25b9b9.exe
  "C:\Users\Admin\AppData\Local\Temp\ad07833249454f2fbb4e5ffebb25b9b9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\b8291a88dd6e488392af53d69b63c3ae.exe
  "C:\Users\Admin\AppData\Local\Temp\b8291a88dd6e488392af53d69b63c3ae.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5644
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
      erroricons.exe
      4⤵
      Executes dropped EXE
      PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe
      INVERS.exe
      4⤵
      Executes dropped EXE
      PID:5912
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
      crazywarningicons.exe
      4⤵
      Executes dropped EXE
      PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
      crazyinvers.exe
      4⤵
      Executes dropped EXE
      PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe
      erroriconscursor.exe
      4⤵
      Executes dropped EXE
      PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe
      toonel.exe
      4⤵
      Executes dropped EXE
      PID:5428
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1160
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912
- C:\Users\Admin\AppData\Local\Temp\615926700efd46a2babefaefeb1900b4.exe
  "C:\Users\Admin\AppData\Local\Temp\615926700efd46a2babefaefeb1900b4.exe"
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Users\Admin\AppData\Local\Temp\a6c9aa07b604486fb5ea747f13141abb.exe
  "C:\Users\Admin\AppData\Local\Temp\a6c9aa07b604486fb5ea747f13141abb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\a6c9aa07b604486fb5ea747f13141abbSrv.exe
    C:\Users\Admin\AppData\Local\Temp\a6c9aa07b604486fb5ea747f13141abbSrv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 328
      4⤵
      Program crash
      PID:2924
- C:\Users\Admin\AppData\Local\Temp\6e4774ae0ebc4c3fbf17d57912f1dabe.exe
  "C:\Users\Admin\AppData\Local\Temp\6e4774ae0ebc4c3fbf17d57912f1dabe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\2989bd2c9501465eafeb2894aac53503.exe
  "C:\Users\Admin\AppData\Local\Temp\2989bd2c9501465eafeb2894aac53503.exe"
  2⤵
  - Executes dropped EXE
  PID:5956
- C:\Users\Admin\AppData\Local\Temp\e647b426f46a4275938edb7cb9515a54.exe
  "C:\Users\Admin\AppData\Local\Temp\e647b426f46a4275938edb7cb9515a54.exe"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\2d4b6976b29e4ec7932e8eb085d4e7b0.exe
  "C:\Users\Admin\AppData\Local\Temp\2d4b6976b29e4ec7932e8eb085d4e7b0.exe"
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Users\Admin\AppData\Local\Temp\17b831c32da242d381233584e6a70bbb.exe
  "C:\Users\Admin\AppData\Local\Temp\17b831c32da242d381233584e6a70bbb.exe"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\02b62af6c3ac4f63a1b915eb3f25ffb2.exe
  "C:\Users\Admin\AppData\Local\Temp\02b62af6c3ac4f63a1b915eb3f25ffb2.exe"
  2⤵
  - Executes dropped EXE
  PID:5888
- C:\Users\Admin\AppData\Local\Temp\ec955a7b12b04f4fa5beec1c4910fbb7.exe
  "C:\Users\Admin\AppData\Local\Temp\ec955a7b12b04f4fa5beec1c4910fbb7.exe"
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\aa1ada8074a5432fafa39bc2c4381bf7.exe
  "C:\Users\Admin\AppData\Local\Temp\aa1ada8074a5432fafa39bc2c4381bf7.exe"
  2⤵
  - Executes dropped EXE
  PID:5484
- C:\Users\Admin\AppData\Local\Temp\ed9b8ca7aabc423ea52dc3e30f777055.exe
  "C:\Users\Admin\AppData\Local\Temp\ed9b8ca7aabc423ea52dc3e30f777055.exe"
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\257a30b2ddbe4b06bf8c4fbaddeebad6.exe
  "C:\Users\Admin\AppData\Local\Temp\257a30b2ddbe4b06bf8c4fbaddeebad6.exe"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\db063e60fd50451f83aa5a0bad8e5941.exe
  "C:\Users\Admin\AppData\Local\Temp\db063e60fd50451f83aa5a0bad8e5941.exe"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\b369b16c5f314cc092ff9d3918a2da35.exe
  "C:\Users\Admin\AppData\Local\Temp\b369b16c5f314cc092ff9d3918a2da35.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4536
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn CleanSweepCheck /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Payload1234.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5188
- - C:\Windows\SysWOW64\PING.EXE
    ping 0 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1956 -prefsLen 27097 -prefMapHandle 1960 -prefMapSize 270279 -ipcHandle 2044 -initialChannelId {7a58a7fe-1567-4c7b-9fcc-83c4bb2533d0} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:3728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2412 -prefsLen 27133 -prefMapHandle 2416 -prefMapSize 270279 -ipcHandle 2424 -initialChannelId {e3cc04fc-fa44-45a2-8eb2-b48202253830} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    - Checks processor information in registry
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3824 -prefsLen 27274 -prefMapHandle 3828 -prefMapSize 270279 -jsInitHandle 3832 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3840 -initialChannelId {8ed33a00-2bf8-4797-83e0-11aef07029be} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:2504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3992 -prefsLen 27274 -prefMapHandle 3996 -prefMapSize 270279 -ipcHandle 4080 -initialChannelId {7554322b-a50b-45ca-b8ec-424250e747b7} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:4656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1684 -prefsLen 34773 -prefMapHandle 3040 -prefMapSize 270279 -jsInitHandle 3248 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3088 -initialChannelId {d94737f6-afe4-4d6a-a9d2-27844df480bd} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:5628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 2556 -prefsLen 34957 -prefMapHandle 3468 -prefMapSize 270279 -ipcHandle 5012 -initialChannelId {e4f3ca34-f915-448c-b9e0-5be6c0d9c62a} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:3452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5660 -prefsLen 32952 -prefMapHandle 5664 -prefMapSize 270279 -jsInitHandle 5668 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5636 -initialChannelId {709635e6-d05e-44ca-bc77-1558d0212b9f} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:4460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5772 -prefsLen 32952 -prefMapHandle 5776 -prefMapSize 270279 -jsInitHandle 5780 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5788 -initialChannelId {6fe3045c-dafa-4e2b-92b3-646dde339a71} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:5672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5956 -prefsLen 32952 -prefMapHandle 5960 -prefMapSize 270279 -jsInitHandle 5964 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5972 -initialChannelId {60e95728-be39-4a6a-962c-0ad573f95a64} -parentPid 5736 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5736" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:5032

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4904
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4416
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA6BF4B62A227B89814377CE5128C68D --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1D62BC3CD660B96E10FBC1041A723F3D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1D62BC3CD660B96E10FBC1041A723F3D --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5188
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A5C06DB88890B422F406A005E5CEA1A1 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5C15FADD0C8C149E2F6B426CE87A690 --mojo-platform-channel-handle=1884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E1123017AD2B05FA00A1F2125750F2A7 --mojo-platform-channel-handle=2380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000478 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5388 -ip 5388
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\02b62af6c3ac4f63a1b915eb3f25ffb2.exe.log

Filesize
594B

MD5
17d54af051d6e2279756e0394df4e94f

SHA1
c781de77a9d3f733c873e692288fdb28f0979d31

SHA256
940a773e48b39e5986e29d7b7ff9f8d92318495d18192ffe80a4c8e9988def15

SHA512
2fc05b403c74d1a3fbd8f45a625b6d454abfb08e317fabf210b4a8fc1e0d08376fc781819e4feec4254bb5b84ab355e3cef524f93710fc0e1625c2e8f178fb77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
5c44e27b856db169635881ba67aaa0e8

SHA1
3f0d99399500f29c51d4a560d960b27710ad6f2d

SHA256
461f4f10b8436d6f697fda640aea96a572f0efbbad15a0cca4a6f147dea4891a

SHA512
c7b87d16fee058e95d76ec524e311a7034ce7d90faabe050d380bbffa8382b12bd198db987b652998b6ba1ac72c6deef9de83a44a7d5864a2fef551a8170982d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\02b62af6c3ac4f63a1b915eb3f25ffb2.exe

Filesize
997KB

MD5
28aaac578be4ce06cb695e4f927b4302

SHA1
880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

SHA256
8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

SHA512
068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

Download Submit
C:\Users\Admin\AppData\Local\Temp\17b831c32da242d381233584e6a70bbb.exe

Filesize
345KB

MD5
8efb7339fe13cf8cea9f6445776655c0

SHA1
081afd73c757c83825cf1e8ed4a4eab259d23b97

SHA256
c1badbacd2abe44fe4e8685c8eee7e983bf8b6780cfca03ae31f8fcebc98b1fb

SHA512
2a37e74aeff17b4f435d02a30019a017a4ff4fa29fc898229f6195876f53b38154c063cf052deebcc06785650f875d67eeb0de372a76df3c4e71bd4fc0392956

Download Submit
C:\Users\Admin\AppData\Local\Temp\2989bd2c9501465eafeb2894aac53503.exe

Filesize
844KB

MD5
8cac1595b184f66d7a122af38d5dfe71

SHA1
e0bc0162472edf77a05134e77b540663ac050ab6

SHA256
00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

SHA512
88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\615926700efd46a2babefaefeb1900b4.exe

Filesize
3.2MB

MD5
e1304c8c7de82cec303f2e79f17c7785

SHA1
b4564a214dfe02a46db65db6612d7c3bd0973177

SHA256
9ca2cc9b71cfa8106d87d8f37b8c87a9da9df9f729b85ebe6307cd54f05a29cf

SHA512
6f5bc47f2bfdbcf64b06c033c37eda816b5b940ed1e7e409108c18b47b5a532bdc3d2787dee77fee2a2631ba1a74b5e64c6e7ab5d5451227eb33976f3187cc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e4774ae0ebc4c3fbf17d57912f1dabe.exe

Filesize
63KB

MD5
2cf51977ed60a9a59d29a72075ce52ad

SHA1
960e40eaa8445c0049d11f97abba7f4b465ad4d5

SHA256
64735679e70b0d6e67198c28df11cf449dc114df01f6c336d61a9da39448f853

SHA512
bfcad9e99ff0dfd2cd917b8160cccab3710ed9974a6c15ea7dd1b0db965a51eec5ac588a87c4bab37af60504a3deb4f11de0a4d93a0c3648673b0dc0824646ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe

Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe

Filesize
2.3MB

MD5
a44458813e819777013eb3e644d74362

SHA1
2dd0616ca78e22464cf0cf68ef7915358a16f9ee

SHA256
47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

SHA512
1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe

Filesize
1.2MB

MD5
e21bb4749a8b1b6fc26a7bcf57781836

SHA1
89cb0bd80d691ca650ad01551be3acefa2256ebd

SHA256
0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

SHA512
b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dobrota.mp3

Filesize
7.0MB

MD5
4be9ff00511eb53793b9a0e79d063319

SHA1
e60743eceb2860e59a1a54703d39c116dc8e68a2

SHA256
a3015af7b84abde8a568e50006721397849bad8e91a47f20dac288502b3bc6c8

SHA512
b72c4c8b570c95b3ee04bd32325c160cc993322d4de41d8f7d10f3468a6e3b4c71cf8d7268136b7bc7dc4cf56e6b288bbbd7fc18fd5d6e95a8ccf293b0f21719

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe

Filesize
316KB

MD5
7f31508d95be3fe50e4e9aa646e86a12

SHA1
c61b439d6e17d630728f48c09b36af2647940748

SHA256
994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

SHA512
2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe

Filesize
316KB

MD5
135eeb256e92d261066cfd3ffd31fb3e

SHA1
5c275ffd2ab1359249bae8c91bebcab19a185e91

SHA256
f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d

SHA512
a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs

Filesize
41B

MD5
2438353e53a3c92256b46c55957afdb1

SHA1
300f902c7ef0480861981b2e7471e6f454b24142

SHA256
e582250541db046151fb0e5c903d06192105930c5b1ef4608425f76fe6e1c467

SHA512
d3a56222df3341eadf3860d85d6eda56ca7673e5a1f2ec7d6ef9b487c5fcb03eff7775995e026a8850e6fcad5fe9ccbe6e98219575480ba49241fcb1eca9c0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs

Filesize
41B

MD5
2dd1c08b4e308ea40e12c790eee03b84

SHA1
aa631c934b65c6f9da3c490a41085dd32438126d

SHA256
ec5656de7dd85d85260ecb02fd47d7842df31e063ccb90d5270af6d71bf17aac

SHA512
86c9d1ec6db925c9c90e1fbcc6828035fd22e2020ddce81f70a2e8bfd5d5979388e8babbf955757def32325a0cc1ba33304797f46a2ab1ef524d8edbef9d67ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs

Filesize
216B

MD5
c36c15e1f99e1c0d093b9b089b1073c5

SHA1
47a237639f83d8de0c2034831ff3e12a3bad7408

SHA256
3d6123cae8ac645d9c9d33b0dada869a7fdd5117a2bf0f9080e4e30fe5bed736

SHA512
4283b45c6483e2ed6e9741f5937bb7851e101fb4710bd687a73a77b5abcb820d2480deaee50c8e87a7f225cee2430836da75d201838e9d989e91f3c0c0c60d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat

Filesize
205B

MD5
47fef7e366f39175f9467a5a33675b40

SHA1
4a55fdc489cb4b67517e04fe1eadc63dfff7b232

SHA256
7670d34d64f41ae60bffdd902e4d566b7fdd0c7782738782d5a8dbe59cce2001

SHA512
ea5ee454f8fa4ce2e7519c3b8772a8083586d4c4eefa981410c17d67d0ae8e8e716f8693d331a040d5fd29cb007988af2472a0b36840805098be492f863a4e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe

Filesize
317KB

MD5
a84257e64cfbd9f6c0a574af416bc0d1

SHA1
245649583806d63abb1b2dc1947feccc8ce4a4bc

SHA256
fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7

SHA512
6fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6c9aa07b604486fb5ea747f13141abb.exe

Filesize
76KB

MD5
6d7f5d02d25e289cb29cc23b8e90e484

SHA1
15a5d3b93a149689df3c396ce2243ba4d027f0b3

SHA256
cd5dfdde4767c1f70756f5ffb8bfcca701ed62a96bfa6a007e32e5916b5021e6

SHA512
8af7188fa6ae5d03ae60929744c852e14151d411b83c62297185229f6ab3ebff562b09426393995427d05f19bbef3b6cbee1e483255b91e0adb429d421c297fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6c9aa07b604486fb5ea747f13141abbSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa1ada8074a5432fafa39bc2c4381bf7.exe

Filesize
583KB

MD5
320b1115164e8b5e1316d86eb29cd299

SHA1
bc046d8b14359a7a2bebdecbb819e76c47d84d1b

SHA256
d88f5b00da5f05ab7f55fd7c414bb56aaf47e9f51365aaabd71f3ace3cc77523

SHA512
fab558cf31aa79caf8e4f6e5649e4e484de3e29bae1386aa61749b70e8c791d74b01fa964501d4755c7688d0420e932f30e36699a2fe4488fae82ee23558afd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad07833249454f2fbb4e5ffebb25b9b9.exe

Filesize
135KB

MD5
c971c68b4e58ccc82802b21ae8488bc7

SHA1
7305f3a0a0a0d489e0bcf664353289f61556de77

SHA256
cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce

SHA512
ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b369b16c5f314cc092ff9d3918a2da35.exe

Filesize
500KB

MD5
07a9f858f9867f52163d7cec3bd899e3

SHA1
d7feae9f88b807606b747a27ac95ede57b2615f5

SHA256
0fde5da043382f46f04eaa04028fba0d127c20b87b88fbd7966805d5c93307ca

SHA512
e07185b51ea52aa9850beaa099a621383a06d452666e96b25e2f0a9f7152fe5f4dbcc8a75a6cb336ee80c4273f85d04abdc142e7d0f87a4f2a9b85a51036cb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8291a88dd6e488392af53d69b63c3ae.exe

Filesize
8.2MB

MD5
7579e304c9fd49ab5754dd2a75f3b093

SHA1
b53289274fed8430ddcb58bd9fc26b898bd4fb37

SHA256
c153a11e1be904ef5f161a516a519e8eb0a9f0c504383865e2db481db14d3c71

SHA512
2d23527ca081fc658e54b9599dc33c33647d71e07b114a72bae677d73ccc77c093e34306a699bcc081b1c3b53aad0939d0ceb05cbe38bd537c0371bdc4628a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\db063e60fd50451f83aa5a0bad8e5941.exe

Filesize
2.4MB

MD5
7fd1b8fbfd95d2781656d41294547529

SHA1
efa594f75e2d653499df2d9266f28a6de2ed85be

SHA256
8f33534fd04867c7607d980d50e9f8abfed2d70f3fdff3e5514e7cf4539a9a91

SHA512
3acab9b8e6b105538a84479fe8542a192b6dbc8f19fc89107a81dd0e2cc6b87f5ae8f49750f7eeee8dd80313ebfbeb9b9f5a7091e0c76ef91e55522ecc72d3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec955a7b12b04f4fa5beec1c4910fbb7.exe

Filesize
961KB

MD5
4723c3c04794c09bbcb6e03f48440f15

SHA1
a5ef69c9dc9eacc2099d9c239146a0e360f1837f

SHA256
0d635f035cdb2fd3afda768cd631481ff980957b614a3cf3fca6c592c6c06470

SHA512
5b68e1cd3d6bb85b5f449014cc288423faea76ff0ecf8834047dac1ed6e84c4d858a7ed23abe3625d781391f636893736bf5c00474ad0995e75611c1557c5c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed9b8ca7aabc423ea52dc3e30f777055.exe

Filesize
280KB

MD5
dedabad13c1c4cc92c4ed2122473eb8a

SHA1
a13385641ddcbdc371dce3607381883d52ed9822

SHA256
5dc4f19b34a738b4eef99c1229b2c7e7492040819d92ddbbf52bbde2a600c2ed

SHA512
45b66665cb3e484c82775c9972f444b1d8fe6f7ef5a55185a3c071f84e9f5dd2a039c9f9e26392e950585cbf965b987df9c789106bddcb35ee55ad0ff91b190b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
c4b424a246ea43a06d6d0051b584082c

SHA1
445ec5107f95360e0545a35a6199408bc60f0b0b

SHA256
64bc2e2d88f12c6add4105b4435160b292629a50a25d6205cf17e61d0ed4b50a

SHA512
cada2deda35f173f2cd40802a33d17ac327cd35066cdb265fe69f1144ec3a21168619ece5f7e847abbcaf5d42a309eccde085218de65345e604ddc3486113963

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
694141dd2494db70dc8d0388b2bed642

SHA1
53be594aba088d86a167e16d82f54f0afefdb742

SHA256
fa466ad863a00bc210eb011856a5404f600d044641d0eb3a1a99504f03359464

SHA512
d40bf818e7622c3735c202e1406ed068d3518057e461f7190265a507a5ca12ec83ed30703f862e81f86f17c0c608d91a84fb6ad8a633a0f45757bcb478a8cdee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
d78b5c7f25379009f3d0a27d736d47fe

SHA1
2762cf44eec7626140f9f3315587dc938659954a

SHA256
61fb9504ca7c0e5bda12e55b485720ea9eee82413cb7af461541942f2bceab39

SHA512
5e8d3b87baf35f5bbbb2f1ce3149191b27b40bd7b9d467b99ad4524e2050bad2fcc933c0ed5b8f76b28138e878b94d8baeccc1ea3e739ef1627f6fe937e7ca5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\pending_pings\0d8e07c3-010d-4ff6-b860-f923b71e0db0

Filesize
886B

MD5
b3df6200c2c1dda9f1f22b8bccd5493a

SHA1
26cc47355f14bbee852c226200bbb9088342d160

SHA256
6d129deffc92008a1b09ffea40690a1b743bb826bf116637529840331b3dec43

SHA512
de1f8ac565319ce1e39318b0da5f3129eb47297e9ca04f1b4e4f5b17dac446491301593538475531d5db5309770bf89f534e62060100c17d8e7aa0baba0c6159

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\pending_pings\40ef59cb-e859-4f33-bd6e-86f7c785f9cb

Filesize
16KB

MD5
1383339c0e4aaa66e6ea823e2629a3cc

SHA1
2ea27bcc216b4f4b3a5dcada30fd1f6d4c900c74

SHA256
b408d402c97b067fadba9e8fcd4649753f55569b880825e08d5fd716677a1000

SHA512
2e4da21632c4aed99f2a9673984b8e96edaa03cdde41017a04392693fe69be60fa44a2e40d4f1d86b0bfe88e14e6fe95a8263288b7ca8403fc99de408a5110ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\pending_pings\c01fd1ab-3492-40fb-bb6f-1e9b47382e5e

Filesize
883B

MD5
ac5f646a47411cdbb1799cadf03c21fe

SHA1
24922f6ea67698aa3d740896b1afffecaffab532

SHA256
a9ac53c76312f329e331845630733c210b8f818a44677bd6152fcbfc1b916dc3

SHA512
4dd62d414521caa4baacfd3b2c5700a3c54b03b34ef362e04d0583eda7311e8ca568fe7bdb31b494bfd5e7c29b473baafd2fa9e54753e9512adf4e9e1e960f0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\pending_pings\c78f1568-ae14-464a-ae9f-b682630c89da

Filesize
235B

MD5
b73e20038e2e696da1a10f4a491ae9d2

SHA1
c69723f82e8721ead7a2d9502b4e3d8b60e66287

SHA256
65b1d7ad7b54c152fb3a18cad843506f84f21fc2c1636cab66124cc3653d9962

SHA512
6e924f17bae2ba197a3082605953857146af67f9a57248934acdcd69f8ec4c91ac3eaf202c9b78591fb33ba5dc814d3a78864c562c8a9f0ce3e1c85c7c54c4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\pending_pings\d3df7cf4-85ba-4d1e-b221-257817b5023e

Filesize
235B

MD5
4c4bba1cdbc0c92d1edbc7bff0bc656d

SHA1
33ec4288826f3662c1f1769d5421b91be0d827e3

SHA256
1532f99d5e3547b0f5e703c59d71ba699ba182f73cacc49b344f30a5007b880d

SHA512
0bb6b6a9209555e7dc23a7b06ba947bdafe3d7ba9369e46ae48fba09d89ba42769f7f3b65dbc3f615244b3a012b52b94264b950a96ae3298f36235683f990cca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\datareporting\glean\pending_pings\efe1b8e6-91bf-46d4-b3dd-0ce5163858ee

Filesize
2KB

MD5
3d04dff67ef3ffeb4d5c3b4e8976c23f

SHA1
66c3535f3cf2d6e0d144f3d408868750d5eef1fa

SHA256
bf415afa0142679e339f108af9a323f0883523b5ae53d0cb6b7575b42b75f8d5

SHA512
36eee473bddebc50c466906ca4965607e1533916e955045101621381f58186fb8d92656083b7222a932c53f4ec0bc3cd3149d2a2d96f2b311b25696cf8335b16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\prefs-1.js

Filesize
6KB

MD5
c7637b3c43a4e30ceaa66d4512e91441

SHA1
bca085cdde5b357ca420eb69470785ee1c18a1f5

SHA256
ad457211a85d8fdb2cdd4753b5396df39fb64a1fe822cbcb162b081ce52d0b8e

SHA512
f6caac42694bb31461bf98f9b6e0a9d991cd76bf07b42ef550aa876708dccf02818b5ee4f7fc1d63cf5d96ba0c627bb6043cef6bd69ddb90f83bf78cd73e9e18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\prefs-1.js

Filesize
6KB

MD5
cf7da8dd8e5c24a412640129c7b027cc

SHA1
678d206e2e269dde23df7f4fcb1b7f3b3fd14a5b

SHA256
6d8b5f179fe69d6cb59938a3db7dca2c1de17092aa4c3978e9c17f71b4dd06f4

SHA512
af55d0edcc393a1b63ec8aae796d9eb950b2d4b38055f2f2c5204b1d068f18ffa96f06d4d61cd8ce390a7b8c514d470b6a9972942a4375c73ee46987da5319e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\prefs.js

Filesize
6KB

MD5
9be851d1e26448bf84ab92001274afc8

SHA1
131d8fe061993435121cc22a191e0d3597734714

SHA256
9f640e45036cc7d3d7bfa6bdf07d52fc17527a881c490757bbd0d7d15c3b14a8

SHA512
eb20ad51840b7f233cd40e72b31e9fb4d8b1ff95bb96a15066145a824a0dd28478d1ea0e5b60c43c20a78c9ddb32f8de14bed331946c4019e7e6b93215210f4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\90bkg1w0.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
memory/348-651-0x000000001C3C0000-0x000000001C88E000-memory.dmp

Filesize
4.8MB

Download
memory/348-653-0x0000000001700000-0x0000000001708000-memory.dmp

Filesize
32KB

Download
memory/348-652-0x000000001BE20000-0x000000001BEBC000-memory.dmp

Filesize
624KB

Download
memory/2720-1015-0x00000194FB180000-0x00000194FB3DE000-memory.dmp

Filesize
2.4MB

Download
memory/3124-637-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/3584-681-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3584-668-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3984-634-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4576-638-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4924-636-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4988-386-0x00007FFF90220000-0x00007FFF90231000-memory.dmp

Filesize
68KB

Download
memory/4988-384-0x00007FFF90260000-0x00007FFF90277000-memory.dmp

Filesize
92KB

Download
memory/4988-537-0x00007FF779420000-0x00007FF779518000-memory.dmp

Filesize
992KB

Download
memory/4988-379-0x00007FFF902A0000-0x00007FFF902D4000-memory.dmp

Filesize
208KB

Download
memory/4988-378-0x00007FF779420000-0x00007FF779518000-memory.dmp

Filesize
992KB

Download
memory/4988-540-0x00007FFF75C00000-0x00007FFF76CB0000-memory.dmp

Filesize
16.7MB

Download
memory/4988-381-0x00007FFF92760000-0x00007FFF92778000-memory.dmp

Filesize
96KB

Download
memory/4988-380-0x00007FFF76CB0000-0x00007FFF76F66000-memory.dmp

Filesize
2.7MB

Download
memory/4988-385-0x00007FFF90240000-0x00007FFF9025D000-memory.dmp

Filesize
116KB

Download
memory/4988-388-0x00007FFF901B0000-0x00007FFF90217000-memory.dmp

Filesize
412KB

Download
memory/4988-387-0x00007FFF75C00000-0x00007FFF76CB0000-memory.dmp

Filesize
16.7MB

Download
memory/4988-538-0x00007FFF902A0000-0x00007FFF902D4000-memory.dmp

Filesize
208KB

Download
memory/4988-398-0x00007FFF75C00000-0x00007FFF76CB0000-memory.dmp

Filesize
16.7MB

Download
memory/4988-382-0x00007FFF92730000-0x00007FFF92747000-memory.dmp

Filesize
92KB

Download
memory/4988-539-0x00007FFF76CB0000-0x00007FFF76F66000-memory.dmp

Filesize
2.7MB

Download
memory/4988-517-0x00007FFF75C00000-0x00007FFF76CB0000-memory.dmp

Filesize
16.7MB

Download
memory/4988-528-0x00007FFF75C00000-0x00007FFF76CB0000-memory.dmp

Filesize
16.7MB

Download
memory/4988-383-0x00007FFF90280000-0x00007FFF90291000-memory.dmp

Filesize
68KB

Download
memory/5388-672-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5388-674-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5420-620-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

Filesize
64KB

Download
memory/5420-619-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

Filesize
64KB

Download
memory/5420-617-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

Filesize
64KB

Download
memory/5420-615-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

Filesize
64KB

Download
memory/5420-618-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

Filesize
64KB

Download
memory/5420-616-0x0000000005FE0000-0x0000000005FF0000-memory.dmp

Filesize
64KB

Download
memory/5428-639-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/5764-2-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/5764-0-0x0000000074C91000-0x0000000074C92000-memory.dmp

Filesize
4KB

Download
memory/5764-5-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/5764-4-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/5764-3-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/5764-1064-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/5764-1073-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/5764-1-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/5764-1121-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/5912-635-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/5956-782-0x000000001C980000-0x000000001C9CC000-memory.dmp

Filesize
304KB

Download
memory/5956-781-0x000000001BC20000-0x000000001BCC6000-memory.dmp

Filesize
664KB

Download