njrat | d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
09-03-2021 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

Score

10^/10

njrat quasar hackedtest heart evasion persistence spyware trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedTEST

chipo.publicvm.com:1177

Mutex

4c71585ab01a8f1344352fb1f26b00fd

Attributes

reg_key
4c71585ab01a8f1344352fb1f26b00fd
splitter
|'|'|

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes

encryption_key
3vnM9JqtaSdxUVqeTXSi
install_name
Subfile.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDirr

Signatures

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 5 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exetest404.exeGoogle Chrome.exeSys32.exeSubfile.exe

pid process

2444 Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
1520 test404.exe
2536 Google Chrome.exe
3192 Sys32.exe
1176 Subfile.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2444	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
1520	test404.exe
2536	Google Chrome.exe
3192	Sys32.exe
1176	Subfile.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	upx
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	upx
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	upx
\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe.tmp	upx
\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
\Program Files\Common Files\System\symsrv.dll	upx
C:\Users\Admin\AppData\Local\Temp\A1D26E2\5C5EF34FE0.tmp	upx
\Program Files\Common Files\System\symsrv.dll	upx
C:\Users\Admin\AppData\Local\Temp\A1D26E2\5DE5F84FC4.tmp	upx
\Program Files\Common Files\System\symsrv.dll	upx
\Program Files\Common Files\System\symsrv.dll	upx

Drops startup file 2 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test404.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test404.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

Loads dropped DLL 7 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeLoader.exeLoader1.exeGoogle Chrome.exenetsh.exeSubfile.exe

pid	process
3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
4064	Loader.exe
4036	Loader1.exe
2536	Google Chrome.exe
3792	netsh.exe
1176	Subfile.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Google Chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c71585ab01a8f1344352fb1f26b00fd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .."	Google Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4c71585ab01a8f1344352fb1f26b00fd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .."	Google Chrome.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeGoogle Chrome.exe

description ioc process

File opened (read-only) \??\e: Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
File opened (read-only) \??\e: Google Chrome.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ip-api.com

description	ioc	process
File opened (read-only)	\??\e:	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
File opened (read-only)	\??\e:	Google Chrome.exe

flow	ioc
25	ip-api.com

autoit_exe 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A1D26E2\3DBA8A4F30.tmp	autoit_exe

Drops file in Program Files directory 2 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeGoogle Chrome.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	Google Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1960 schtasks.exe
2820 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Sys32.exe

pid process

3192 Sys32.exe

pid	process
1960	schtasks.exe
2820	schtasks.exe

pid	process
3192	Sys32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exepowershell.exepowershell.exeGoogle Chrome.exe

pid	process
3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
200	powershell.exe
200	powershell.exe
200	powershell.exe
2536	Google Chrome.exe
2536	Google Chrome.exe
2536	Google Chrome.exe
2536	Google Chrome.exe
2536	Google Chrome.exe
2536	Google Chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exepowershell.exepowershell.exeLoader.exeLoader1.exeGoogle Chrome.exenetsh.exeSubfile.exe

description	pid	process
Token: SeDebugPrivilege	3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeIncreaseQuotaPrivilege	8	powershell.exe
Token: SeSecurityPrivilege	8	powershell.exe
Token: SeTakeOwnershipPrivilege	8	powershell.exe
Token: SeLoadDriverPrivilege	8	powershell.exe
Token: SeSystemProfilePrivilege	8	powershell.exe
Token: SeSystemtimePrivilege	8	powershell.exe
Token: SeProfSingleProcessPrivilege	8	powershell.exe
Token: SeIncBasePriorityPrivilege	8	powershell.exe
Token: SeCreatePagefilePrivilege	8	powershell.exe
Token: SeBackupPrivilege	8	powershell.exe
Token: SeRestorePrivilege	8	powershell.exe
Token: SeShutdownPrivilege	8	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeSystemEnvironmentPrivilege	8	powershell.exe
Token: SeRemoteShutdownPrivilege	8	powershell.exe
Token: SeUndockPrivilege	8	powershell.exe
Token: SeManageVolumePrivilege	8	powershell.exe
Token: 33	8	powershell.exe
Token: 34	8	powershell.exe
Token: 35	8	powershell.exe
Token: 36	8	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeIncreaseQuotaPrivilege	200	powershell.exe
Token: SeSecurityPrivilege	200	powershell.exe
Token: SeTakeOwnershipPrivilege	200	powershell.exe
Token: SeLoadDriverPrivilege	200	powershell.exe
Token: SeSystemProfilePrivilege	200	powershell.exe
Token: SeSystemtimePrivilege	200	powershell.exe
Token: SeProfSingleProcessPrivilege	200	powershell.exe
Token: SeIncBasePriorityPrivilege	200	powershell.exe
Token: SeCreatePagefilePrivilege	200	powershell.exe
Token: SeBackupPrivilege	200	powershell.exe
Token: SeRestorePrivilege	200	powershell.exe
Token: SeShutdownPrivilege	200	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeSystemEnvironmentPrivilege	200	powershell.exe
Token: SeRemoteShutdownPrivilege	200	powershell.exe
Token: SeUndockPrivilege	200	powershell.exe
Token: SeManageVolumePrivilege	200	powershell.exe
Token: 33	200	powershell.exe
Token: 34	200	powershell.exe
Token: 35	200	powershell.exe
Token: 36	200	powershell.exe
Token: SeDebugPrivilege	4064	Loader.exe
Token: SeDebugPrivilege	4036	Loader1.exe
Token: SeDebugPrivilege	2536	Google Chrome.exe
Token: SeDebugPrivilege	3792	netsh.exe
Token: SeDebugPrivilege	2536	Google Chrome.exe
Token: 33	2536	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2536	Google Chrome.exe
Token: 33	2536	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2536	Google Chrome.exe
Token: SeDebugPrivilege	1176	Subfile.exe
Token: SeDebugPrivilege	1176	Subfile.exe
Token: 33	2536	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2536	Google Chrome.exe
Token: 33	2536	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2536	Google Chrome.exe
Token: 33	2536	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2536	Google Chrome.exe
Token: 33	2536	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2536	Google Chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Subfile.exe

pid process

1176 Subfile.exe

pid	process
1176	Subfile.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeHeart-Sender-V1.2 Cracked by JC0der-FireEye.exewscript.execmd.exetest404.exeGoogle Chrome.exe

description	pid	process	target process
PID 3888 wrote to memory of 2444	3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
PID 3888 wrote to memory of 2444	3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
PID 3888 wrote to memory of 2444	3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
PID 2444 wrote to memory of 3512	2444	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	wscript.exe
PID 2444 wrote to memory of 3512	2444	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	wscript.exe
PID 3512 wrote to memory of 2632	3512	wscript.exe	Load.exe
PID 3512 wrote to memory of 2632	3512	wscript.exe	Load.exe
PID 3512 wrote to memory of 2632	3512	wscript.exe	Load.exe
PID 3512 wrote to memory of 2920	3512	wscript.exe	cmd.exe
PID 3512 wrote to memory of 2920	3512	wscript.exe	cmd.exe
PID 3888 wrote to memory of 1520	3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	test404.exe
PID 3888 wrote to memory of 1520	3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	test404.exe
PID 3888 wrote to memory of 1520	3888	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	test404.exe
PID 2920 wrote to memory of 8	2920	cmd.exe	powershell.exe
PID 2920 wrote to memory of 8	2920	cmd.exe	powershell.exe
PID 2920 wrote to memory of 200	2920	cmd.exe	powershell.exe
PID 2920 wrote to memory of 200	2920	cmd.exe	powershell.exe
PID 2920 wrote to memory of 1960	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 1960	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 2820	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 2820	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 1988	2920	cmd.exe	attrib.exe
PID 2920 wrote to memory of 1988	2920	cmd.exe	attrib.exe
PID 2920 wrote to memory of 4064	2920	cmd.exe	Loader.exe
PID 2920 wrote to memory of 4064	2920	cmd.exe	Loader.exe
PID 2920 wrote to memory of 4064	2920	cmd.exe	Loader.exe
PID 2920 wrote to memory of 4036	2920	cmd.exe	Loader1.exe
PID 2920 wrote to memory of 4036	2920	cmd.exe	Loader1.exe
PID 2920 wrote to memory of 4036	2920	cmd.exe	Loader1.exe
PID 1520 wrote to memory of 2536	1520	test404.exe	Google Chrome.exe
PID 1520 wrote to memory of 2536	1520	test404.exe	Google Chrome.exe
PID 1520 wrote to memory of 2536	1520	test404.exe	Google Chrome.exe
PID 2536 wrote to memory of 3792	2536	Google Chrome.exe	netsh.exe
PID 2536 wrote to memory of 3792	2536	Google Chrome.exe	netsh.exe
PID 2536 wrote to memory of 3792	2536	Google Chrome.exe	netsh.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1988 attrib.exe

pid	process
1988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
"C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
"C:\Users\Admin\AppData\Local\Temp/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\System32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3EF3.tmp\3EF4.tmp\3EF5.vbs //Nologo
3⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Heart\Load.exe
"C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Heart\Load.exe"
4⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Config.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users" -force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile0" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe" /RL HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile1" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe" /RL HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\SubDirr
5⤵
- Views/modifies file attributes
PID:1988

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader.exe
loader.exe -pP@$$W@RD@@
5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader1.exe
loader1.exe -pP@$$W@RD@@
5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Temp\test404.exe
C:\Users\Admin\AppData\Local\Temp/test404.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe" "Google Chrome.exe" ENABLE
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3192

C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6dca344d157e677df738cd5c104ec230

SHA1
9b319e0dda583b0c7fcc39b1171b99fdef242250

SHA256
728b0e1d72a87eb5709839788541a4524e8a5231edbfcb843e3192c7cdef7923

SHA512
4d9095ab92015f062c258cd3db5712a042a61d4c4e7c3792348461765d248767077e88e2707962d597f3ee460aaaa268bfc72c60a1a2df26bbde846ac359168d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EF3.tmp\3EF4.tmp\3EF5.vbs
MD5
eb6e66649458ab67cd6b1c1119d27cc3

SHA1
8099e76b7c4c5d593889d3d4bcf709e926d3eaab

SHA256
26dfa79be36cbdfcc3850d17dc704c16ef2772a4b561e13f349307571230f0e0

SHA512
daacbcd01d8d5555dda47ed08b042b29e203ee7ca6a29252a27bb14f6f742db2c1c58d5b83ce36d8c1fb40fae22ef14c0777cbc1ae0f9d28e8d2bb28c7933c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\3DBA8A4F30.tmp
MD5
cb0de434b038de61b61d60e2d284c2c5

SHA1
f4197c2ccaf7c42679c15208945e3536d27eda97

SHA256
b5050491771ba6bc4305574127ef774caca08280f64f0cea0a44dd8cfb0ecae3

SHA512
2984641dcfa04dedcd4a5c6bfd181da3c6352a9405043f9d6a73b0d84be84d5b61f619f209c7a89dcd7cb7631edbf4a40c5fbd6de006e97e15ea00bfd7e09324

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\5C5EF34FE0.tmp
MD5
a0f5d9448eed029fef6d9944df015832

SHA1
560dc39fbdccf26465005baf60648d3e0e41b32a

SHA256
02d46c7d93d8be4e82fd29d9452203f86d75476dbfcc952efa63360a260fb242

SHA512
c41251267d6c42aa916df9e15304e839b0cb9087c834c9aa2a3b912b91c67ba1804e0a1854c64b14654d9ead03e1ed0e4a4ca3a4fd87616f7ad47c8edcec12d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\5DE5F84FC4.tmp
MD5
cb12a9883105636361815cc05ae84a9b

SHA1
e200f1b9553254dac2771c11e9c7eaf39095803c

SHA256
fb6f81aaf1dbe4cf4a182b2f049504c2b137cf714eacddf8debc7087d52414e7

SHA512
36dd29e931d771802e4f39ece4cb3ab6bff777457304d3242b88189ebd8a2650a68dba2b100309f6a5962af2d92416f91f0ad0e323e98d7276b2ecec0c657fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
MD5
943df0dd122ec18e4a64231c3d8cb3f9

SHA1
5abb3181f354cd5d48726fad840518926f8ff0d7

SHA256
48945de236ef7a39cf323719c174300653f9c6d35329512c0b2a29cc3ec9ea91

SHA512
1bcc301995f984593f9874ef59f79e00ff91031f3bbb1205ff661576365299ae930e9f83356f6a49ab00cfc233f614302266c6707bba7bf86b5d505f96d71009

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
MD5
943df0dd122ec18e4a64231c3d8cb3f9

SHA1
5abb3181f354cd5d48726fad840518926f8ff0d7

SHA256
48945de236ef7a39cf323719c174300653f9c6d35329512c0b2a29cc3ec9ea91

SHA512
1bcc301995f984593f9874ef59f79e00ff91031f3bbb1205ff661576365299ae930e9f83356f6a49ab00cfc233f614302266c6707bba7bf86b5d505f96d71009

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
MD5
2460a0af6c336e546ecb8d3a3bb6fab7

SHA1
de23c0a0c8d5b42eb804a557073e7c9cd1fe8558

SHA256
4ef7de2f82d7e76e2b408418c26e86680be7ca75f0406aa9e9f052a9e833ee7f

SHA512
b75eef7ec0de1ba74ce7ff378f3307741bb3b7b52d092180947753e620c30edae928f68978ddc2dc23c6ae8e8f884cd64a69a875b23de47ebadfd09483170966

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
MD5
2460a0af6c336e546ecb8d3a3bb6fab7

SHA1
de23c0a0c8d5b42eb804a557073e7c9cd1fe8558

SHA256
4ef7de2f82d7e76e2b408418c26e86680be7ca75f0406aa9e9f052a9e833ee7f

SHA512
b75eef7ec0de1ba74ce7ff378f3307741bb3b7b52d092180947753e620c30edae928f68978ddc2dc23c6ae8e8f884cd64a69a875b23de47ebadfd09483170966

Download Submit
C:\Users\Admin\AppData\Local\Temp\test404.exe
MD5
943df0dd122ec18e4a64231c3d8cb3f9

SHA1
5abb3181f354cd5d48726fad840518926f8ff0d7

SHA256
48945de236ef7a39cf323719c174300653f9c6d35329512c0b2a29cc3ec9ea91

SHA512
1bcc301995f984593f9874ef59f79e00ff91031f3bbb1205ff661576365299ae930e9f83356f6a49ab00cfc233f614302266c6707bba7bf86b5d505f96d71009

Download Submit
C:\Users\Admin\AppData\Local\Temp\test404.exe
MD5
943df0dd122ec18e4a64231c3d8cb3f9

SHA1
5abb3181f354cd5d48726fad840518926f8ff0d7

SHA256
48945de236ef7a39cf323719c174300653f9c6d35329512c0b2a29cc3ec9ea91

SHA512
1bcc301995f984593f9874ef59f79e00ff91031f3bbb1205ff661576365299ae930e9f83356f6a49ab00cfc233f614302266c6707bba7bf86b5d505f96d71009

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe.tmp
MD5
3aa5d861cd2300b2b10da9b3fc2894eb

SHA1
44ef5df0067a159042cbb1d1fd3543a734155834

SHA256
76fb1f0f3ce38104af16eef598f86f09b370835ab528c998bf9ee6d4d068868e

SHA512
cb79d1b599e1c43595e955425b06fd1112a7ca505d8b7e5a982bc1a7149fa70b49173231b3d7d69988e856dffc7e2b482bff7c5409396b57f2f4e37ca188edd3

Download Submit
memory/8-36-0x0000024162DE0000-0x0000024162DE1000-memory.dmp

Filesize
4KB

Download
memory/8-26-0x00007FFF6C580000-0x00007FFF6CF6C000-memory.dmp

Filesize
9.9MB

Download
memory/8-35-0x0000024148A20000-0x0000024148A21000-memory.dmp

Filesize
4KB

Download
memory/8-38-0x0000024148930000-0x0000024148932000-memory.dmp

Filesize
8KB

Download
memory/8-39-0x0000024148933000-0x0000024148935000-memory.dmp

Filesize
8KB

Download
memory/8-41-0x0000024148936000-0x0000024148938000-memory.dmp

Filesize
8KB

Download
memory/8-23-0x0000000000000000-mapping.dmp

Download
memory/200-45-0x0000000000000000-mapping.dmp

Download
memory/200-51-0x0000019F77390000-0x0000019F77392000-memory.dmp

Filesize
8KB

Download
memory/200-52-0x0000019F77393000-0x0000019F77395000-memory.dmp

Filesize
8KB

Download
memory/200-57-0x0000019F77398000-0x0000019F77399000-memory.dmp

Filesize
4KB

Download
memory/200-53-0x0000019F77396000-0x0000019F77398000-memory.dmp

Filesize
8KB

Download
memory/200-47-0x00007FFF6C580000-0x00007FFF6CF6C000-memory.dmp

Filesize
9.9MB

Download
memory/1176-92-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1176-100-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/1176-91-0x0000000072900000-0x0000000072FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1176-99-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/1176-98-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1176-97-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1520-29-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1520-40-0x00000000057C3000-0x00000000057C5000-memory.dmp

Filesize
8KB

Download
memory/1520-19-0x0000000072900000-0x0000000072FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1520-20-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1520-24-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/1520-32-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/1520-15-0x0000000000000000-mapping.dmp

Download
memory/1520-37-0x00000000092B0000-0x00000000092B6000-memory.dmp

Filesize
24KB

Download
memory/1960-54-0x0000000000000000-mapping.dmp

Download
memory/1988-56-0x0000000000000000-mapping.dmp

Download
memory/2444-3-0x0000000000000000-mapping.dmp

Download
memory/2536-75-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/2536-69-0x0000000072900000-0x0000000072FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-65-0x0000000000000000-mapping.dmp

Download
memory/2536-80-0x0000000005433000-0x0000000005435000-memory.dmp

Filesize
8KB

Download
memory/2632-31-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/2632-25-0x000000000A0F0000-0x000000000A0F1000-memory.dmp

Filesize
4KB

Download
memory/2632-44-0x0000000009360000-0x0000000009361000-memory.dmp

Filesize
4KB

Download
memory/2632-12-0x0000000072900000-0x0000000072FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2632-42-0x0000000002DB3000-0x0000000002DB5000-memory.dmp

Filesize
8KB

Download
memory/2632-14-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2632-10-0x0000000000000000-mapping.dmp

Download
memory/2632-43-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

Filesize
4KB

Download
memory/2632-22-0x0000000007930000-0x00000000079E4000-memory.dmp

Filesize
720KB

Download
memory/2632-33-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2632-27-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/2820-55-0x0000000000000000-mapping.dmp

Download
memory/2920-11-0x0000000000000000-mapping.dmp

Download
memory/3192-86-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3192-85-0x00007FFF6C680000-0x00007FFF6D06C000-memory.dmp

Filesize
9.9MB

Download
memory/3192-95-0x000000001BD30000-0x000000001BD32000-memory.dmp

Filesize
8KB

Download
memory/3512-9-0x00000264CF700000-0x00000264CF704000-memory.dmp

Filesize
16KB

Download
memory/3512-6-0x0000000000000000-mapping.dmp

Download
memory/3792-81-0x0000000000000000-mapping.dmp

Download
memory/3888-7-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4036-62-0x0000000000000000-mapping.dmp

Download
memory/4064-58-0x0000000000000000-mapping.dmp

Download