njrat | 54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

Analysis

max time kernel
151s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
13-08-2021 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2AD561E9BB9F780F56D5E7A280574432.exe
Size

375KB
MD5

2ad561e9bb9f780f56d5e7a280574432
SHA1

e6bc833d62ef0ec1e08674a0a8707e3ce2f09007
SHA256

54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3
SHA512

8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Score

10^/10

njrat hacked evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

212.192.241.42:5552

Mutex

34adf4afddd35097c6bf7951c5baad3a

Attributes

reg_key
34adf4afddd35097c6bf7951c5baad3a
splitter
|'|'|

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2AD561E9BB9F780F56D5E7A280574432.exeserver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\putty.exe\","	2AD561E9BB9F780F56D5E7A280574432.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\putty.exe\","	server.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid process

2952 server.exe
908 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2952	server.exe
908	server.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34adf4afddd35097c6bf7951c5baad3a.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34adf4afddd35097c6bf7951c5baad3a.exe	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\34adf4afddd35097c6bf7951c5baad3a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\34adf4afddd35097c6bf7951c5baad3a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2AD561E9BB9F780F56D5E7A280574432.exeserver.exe

description	pid	process	target process
PID 652 set thread context of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 2952 set thread context of 908	2952	server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

2AD561E9BB9F780F56D5E7A280574432.exeserver.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	2AD561E9BB9F780F56D5E7A280574432.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	server.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

powershell.exepowershell.exe2AD561E9BB9F780F56D5E7A280574432.exepowershell.exepowershell.exepowershell.exeserver.exepowershell.exe

pid	process
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe
Token: SeTakeOwnershipPrivilege	2252	powershell.exe
Token: SeLoadDriverPrivilege	2252	powershell.exe
Token: SeSystemProfilePrivilege	2252	powershell.exe
Token: SeSystemtimePrivilege	2252	powershell.exe
Token: SeProfSingleProcessPrivilege	2252	powershell.exe
Token: SeIncBasePriorityPrivilege	2252	powershell.exe
Token: SeCreatePagefilePrivilege	2252	powershell.exe
Token: SeBackupPrivilege	2252	powershell.exe
Token: SeRestorePrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeSystemEnvironmentPrivilege	2252	powershell.exe
Token: SeRemoteShutdownPrivilege	2252	powershell.exe
Token: SeUndockPrivilege	2252	powershell.exe
Token: SeManageVolumePrivilege	2252	powershell.exe
Token: 33	2252	powershell.exe
Token: 34	2252	powershell.exe
Token: 35	2252	powershell.exe
Token: 36	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe
Token: SeTakeOwnershipPrivilege	2252	powershell.exe
Token: SeLoadDriverPrivilege	2252	powershell.exe
Token: SeSystemProfilePrivilege	2252	powershell.exe
Token: SeSystemtimePrivilege	2252	powershell.exe
Token: SeProfSingleProcessPrivilege	2252	powershell.exe
Token: SeIncBasePriorityPrivilege	2252	powershell.exe
Token: SeCreatePagefilePrivilege	2252	powershell.exe
Token: SeBackupPrivilege	2252	powershell.exe
Token: SeRestorePrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeSystemEnvironmentPrivilege	2252	powershell.exe
Token: SeRemoteShutdownPrivilege	2252	powershell.exe
Token: SeUndockPrivilege	2252	powershell.exe
Token: SeManageVolumePrivilege	2252	powershell.exe
Token: 33	2252	powershell.exe
Token: 34	2252	powershell.exe
Token: 35	2252	powershell.exe
Token: 36	2252	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeIncreaseQuotaPrivilege	3860	powershell.exe
Token: SeSecurityPrivilege	3860	powershell.exe
Token: SeTakeOwnershipPrivilege	3860	powershell.exe
Token: SeLoadDriverPrivilege	3860	powershell.exe
Token: SeSystemProfilePrivilege	3860	powershell.exe
Token: SeSystemtimePrivilege	3860	powershell.exe
Token: SeProfSingleProcessPrivilege	3860	powershell.exe
Token: SeIncBasePriorityPrivilege	3860	powershell.exe
Token: SeCreatePagefilePrivilege	3860	powershell.exe
Token: SeBackupPrivilege	3860	powershell.exe
Token: SeRestorePrivilege	3860	powershell.exe
Token: SeShutdownPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeSystemEnvironmentPrivilege	3860	powershell.exe
Token: SeRemoteShutdownPrivilege	3860	powershell.exe
Token: SeUndockPrivilege	3860	powershell.exe
Token: SeManageVolumePrivilege	3860	powershell.exe
Token: 33	3860	powershell.exe
Token: 34	3860	powershell.exe
Token: 35	3860	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

2AD561E9BB9F780F56D5E7A280574432.exeWScript.exe2AD561E9BB9F780F56D5E7A280574432.exeserver.exeWScript.exeserver.exe

description	pid	process	target process
PID 652 wrote to memory of 2252	652	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 652 wrote to memory of 2252	652	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 652 wrote to memory of 2252	652	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 652 wrote to memory of 3860	652	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 652 wrote to memory of 3860	652	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 652 wrote to memory of 3860	652	2AD561E9BB9F780F56D5E7A280574432.exe	powershell.exe
PID 652 wrote to memory of 3740	652	2AD561E9BB9F780F56D5E7A280574432.exe	WScript.exe
PID 652 wrote to memory of 3740	652	2AD561E9BB9F780F56D5E7A280574432.exe	WScript.exe
PID 652 wrote to memory of 3740	652	2AD561E9BB9F780F56D5E7A280574432.exe	WScript.exe
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	2AD561E9BB9F780F56D5E7A280574432.exe
PID 3740 wrote to memory of 3140	3740	WScript.exe	powershell.exe
PID 3740 wrote to memory of 3140	3740	WScript.exe	powershell.exe
PID 3740 wrote to memory of 3140	3740	WScript.exe	powershell.exe
PID 3684 wrote to memory of 2952	3684	2AD561E9BB9F780F56D5E7A280574432.exe	server.exe
PID 3684 wrote to memory of 2952	3684	2AD561E9BB9F780F56D5E7A280574432.exe	server.exe
PID 3684 wrote to memory of 2952	3684	2AD561E9BB9F780F56D5E7A280574432.exe	server.exe
PID 2952 wrote to memory of 736	2952	server.exe	powershell.exe
PID 2952 wrote to memory of 736	2952	server.exe	powershell.exe
PID 2952 wrote to memory of 736	2952	server.exe	powershell.exe
PID 2952 wrote to memory of 3964	2952	server.exe	powershell.exe
PID 2952 wrote to memory of 3964	2952	server.exe	powershell.exe
PID 2952 wrote to memory of 3964	2952	server.exe	powershell.exe
PID 2952 wrote to memory of 3984	2952	server.exe	WScript.exe
PID 2952 wrote to memory of 3984	2952	server.exe	WScript.exe
PID 2952 wrote to memory of 3984	2952	server.exe	WScript.exe
PID 2952 wrote to memory of 908	2952	server.exe	server.exe
PID 2952 wrote to memory of 908	2952	server.exe	server.exe
PID 2952 wrote to memory of 908	2952	server.exe	server.exe
PID 2952 wrote to memory of 908	2952	server.exe	server.exe
PID 2952 wrote to memory of 908	2952	server.exe	server.exe
PID 2952 wrote to memory of 908	2952	server.exe	server.exe
PID 2952 wrote to memory of 908	2952	server.exe	server.exe
PID 2952 wrote to memory of 908	2952	server.exe	server.exe
PID 3984 wrote to memory of 3976	3984	WScript.exe	powershell.exe
PID 3984 wrote to memory of 3976	3984	WScript.exe	powershell.exe
PID 3984 wrote to memory of 3976	3984	WScript.exe	powershell.exe
PID 908 wrote to memory of 2160	908	server.exe	netsh.exe
PID 908 wrote to memory of 2160	908	server.exe	netsh.exe
PID 908 wrote to memory of 2160	908	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
"C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\putty.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3140
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3964
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\putty.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp\server.exe
      4⤵
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        
        PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2AD561E9BB9F780F56D5E7A280574432.exe.log

MD5
1755d02418241b16d29f6f19bb49952e

SHA1
55a2a978b98c43820f21a8b7597515d804e43d2c

SHA256
ebeb444cf2bd1945e7be508cc782963cf8cf9cedb1680a776f41eb0bf763a561

SHA512
6cd5449f39199e276ea335af0721384ba18009932c8eed5a36e43f1e08b0890291fb9d033aee8c6e8c88899a44504cb222404137ea6b0d847a49a14971f47c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3b5bd2b9e07a4ef99733ad13e7736e00

SHA1
00e090da6226f4534210ade6d6c670ed8b19c9ef

SHA256
7ad402a7e43b706e4dc7de2dba51c535bcd26dabd7c9573e0a765c6235f5c3ad

SHA512
e21237afa0de7c94cbc1e048e00bc2f501974d6a4648fe7e20f771e4ab1399192fe9d748a063e59aa70814efc1ca10643c5a13275744546c55dd92fc6755453c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3b5bd2b9e07a4ef99733ad13e7736e00

SHA1
00e090da6226f4534210ade6d6c670ed8b19c9ef

SHA256
7ad402a7e43b706e4dc7de2dba51c535bcd26dabd7c9573e0a765c6235f5c3ad

SHA512
e21237afa0de7c94cbc1e048e00bc2f501974d6a4648fe7e20f771e4ab1399192fe9d748a063e59aa70814efc1ca10643c5a13275744546c55dd92fc6755453c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
620f2771f45494b8ce927fd606423a52

SHA1
d4c445b60cb946632c8cb13750121c261142846e

SHA256
4668ca3fa4e52c5e66c8f46840f1bb5baf21f01737a5ecd2b24e0d7753d82f2e

SHA512
22e6772c200bb915b1f4dc99c8cf64eb7c522b10c23492ca516ee43cf0be179ef35db10195a2c929f24b9400a2db428086b1ad3b955d6f7d8901b5e4e4eeb351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
620f2771f45494b8ce927fd606423a52

SHA1
d4c445b60cb946632c8cb13750121c261142846e

SHA256
4668ca3fa4e52c5e66c8f46840f1bb5baf21f01737a5ecd2b24e0d7753d82f2e

SHA512
22e6772c200bb915b1f4dc99c8cf64eb7c522b10c23492ca516ee43cf0be179ef35db10195a2c929f24b9400a2db428086b1ad3b955d6f7d8901b5e4e4eeb351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d5733f4c0544ffd329eeb9a840461558

SHA1
030eca5028480777206154479d10f0bc863d9118

SHA256
e72a7148e9d9ea2bf3304a1888a42ae91762d6ca21e60c105ccf452695074e50

SHA512
a751542759b1ab80974dc2707ad6d9a8405c6e74706f08d1f44957295d391e53b02a38db5c1669602231fa3db28e45d46f240cedc57da77ba02df77f779ca872

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs

MD5
3a35a8049e1d1c960d83727fcdc0e1b3

SHA1
41acf6abf00a160e0d4795bc080f540620525f76

SHA256
9be0a227c73471c6797c07b45970b39954ee5715cee41d029c53239cac0578ee

SHA512
256b222634a7acf9e69fe170d97236128f28aa11cb67d6a41e4cdbcfe8c982229801f0c77ae6075665ef4385f93fca00d3a7d5dbaf48e58aea966378c3ac1385

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs

MD5
3a35a8049e1d1c960d83727fcdc0e1b3

SHA1
41acf6abf00a160e0d4795bc080f540620525f76

SHA256
9be0a227c73471c6797c07b45970b39954ee5715cee41d029c53239cac0578ee

SHA512
256b222634a7acf9e69fe170d97236128f28aa11cb67d6a41e4cdbcfe8c982229801f0c77ae6075665ef4385f93fca00d3a7d5dbaf48e58aea966378c3ac1385

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
2ad561e9bb9f780f56d5e7a280574432

SHA1
e6bc833d62ef0ec1e08674a0a8707e3ce2f09007

SHA256
54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

SHA512
8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
2ad561e9bb9f780f56d5e7a280574432

SHA1
e6bc833d62ef0ec1e08674a0a8707e3ce2f09007

SHA256
54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

SHA512
8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
2ad561e9bb9f780f56d5e7a280574432

SHA1
e6bc833d62ef0ec1e08674a0a8707e3ce2f09007

SHA256
54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

SHA512
8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Download Submit
C:\Users\Admin\AppData\Local\putty.exe

MD5
2ad561e9bb9f780f56d5e7a280574432

SHA1
e6bc833d62ef0ec1e08674a0a8707e3ce2f09007

SHA256
54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

SHA512
8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Download Submit
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/652-116-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/652-312-0x0000000006930000-0x0000000006976000-memory.dmp

Filesize
280KB

Download
memory/652-313-0x0000000006980000-0x00000000069F5000-memory.dmp

Filesize
468KB

Download
memory/652-117-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/652-118-0x0000000004CE0000-0x00000000051DE000-memory.dmp

Filesize
5.0MB

Download
memory/736-441-0x0000000000000000-mapping.dmp

Download
memory/736-546-0x0000000007313000-0x0000000007314000-memory.dmp

Filesize
4KB

Download
memory/736-462-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/736-464-0x0000000007312000-0x0000000007313000-memory.dmp

Filesize
4KB

Download
memory/908-1042-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/908-782-0x000000000040746E-mapping.dmp

Download
memory/2160-1040-0x0000000000000000-mapping.dmp

Download
memory/2252-139-0x0000000008BB0000-0x0000000008BB1000-memory.dmp

Filesize
4KB

Download
memory/2252-149-0x0000000006A93000-0x0000000006A94000-memory.dmp

Filesize
4KB

Download
memory/2252-120-0x0000000000000000-mapping.dmp

Download
memory/2252-123-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/2252-124-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/2252-125-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/2252-126-0x0000000006A92000-0x0000000006A93000-memory.dmp

Filesize
4KB

Download
memory/2252-127-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2252-128-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2252-129-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/2252-130-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/2252-131-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/2252-132-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/2252-133-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/2252-138-0x0000000008E40000-0x0000000008E41000-memory.dmp

Filesize
4KB

Download
memory/2252-140-0x0000000008C00000-0x0000000008C01000-memory.dmp

Filesize
4KB

Download
memory/2252-148-0x0000000009F60000-0x0000000009F61000-memory.dmp

Filesize
4KB

Download
memory/2952-440-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/2952-429-0x0000000000000000-mapping.dmp

Download
memory/3140-329-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3140-396-0x0000000007393000-0x0000000007394000-memory.dmp

Filesize
4KB

Download
memory/3140-357-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

Filesize
4KB

Download
memory/3140-352-0x0000000009980000-0x0000000009981000-memory.dmp

Filesize
4KB

Download
memory/3140-323-0x0000000000000000-mapping.dmp

Download
memory/3140-345-0x00000000099C0000-0x00000000099F3000-memory.dmp

Filesize
204KB

Download
memory/3140-336-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/3140-358-0x000000007F2F0000-0x000000007F2F1000-memory.dmp

Filesize
4KB

Download
memory/3140-333-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/3140-331-0x0000000007392000-0x0000000007393000-memory.dmp

Filesize
4KB

Download
memory/3684-316-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3684-317-0x000000000040746E-mapping.dmp

Download
memory/3684-321-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3740-315-0x0000000000000000-mapping.dmp

Download
memory/3860-166-0x0000000000000000-mapping.dmp

Download
memory/3860-192-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/3860-224-0x0000000007463000-0x0000000007464000-memory.dmp

Filesize
4KB

Download
memory/3860-190-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/3964-689-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3964-726-0x0000000000C53000-0x0000000000C54000-memory.dmp

Filesize
4KB

Download
memory/3964-680-0x0000000000000000-mapping.dmp

Download
memory/3964-690-0x0000000000C52000-0x0000000000C53000-memory.dmp

Filesize
4KB

Download
memory/3976-789-0x0000000000000000-mapping.dmp

Download
memory/3976-892-0x00000000075C3000-0x00000000075C4000-memory.dmp

Filesize
4KB

Download
memory/3976-802-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/3976-803-0x00000000075C2000-0x00000000075C3000-memory.dmp

Filesize
4KB

Download
memory/3976-891-0x000000007EFB0000-0x000000007EFB1000-memory.dmp

Filesize
4KB

Download
memory/3984-779-0x0000000000000000-mapping.dmp

Download