njrat | 22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8

Analysis

max time kernel
179s
max time network
226s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe
Size

3.2MB
MD5

39a92446a2cda218e514994bbfa5163e
SHA1

b85ff67f9f4e798cfcc8409d867d2b9c581c36a5
SHA256

22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8
SHA512

71176a92c06a749cfc5455d2e2ed9395feddd88a4ed66a8d08343b69636b71731af5579a3600eb0c7a45e319c529a9d837449e5a83ed7fc938caecba054e539e

Score

10^/10

njrat zombie evasion persistence trojan

Malware Config

Extracted

Family

njrat

Botnet

Zombie

Mutex

09c32d2d0a299e9d040cc8b2a01b8e4f

Attributes

reg_key
09c32d2d0a299e9d040cc8b2a01b8e4f

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 5 IoCs

Processes:

CDS.execrypted.exeToken Build.exeToken_Build.execrss.exe

pid process

936 CDS.exe
1788 crypted.exe
464 Token Build.exe
1760 Token_Build.exe
828 crss.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
936	CDS.exe
1788	crypted.exe
464	Token Build.exe
1760	Token_Build.exe
828	crss.exe

Drops startup file 2 IoCs

Processes:

crss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09c32d2d0a299e9d040cc8b2a01b8e4f.exe	crss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09c32d2d0a299e9d040cc8b2a01b8e4f.exe	crss.exe

Loads dropped DLL 15 IoCs

Processes:

22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exeCDS.execrypted.exeToken_Build.execrss.exe

pid	process
1420	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe
936	CDS.exe
936	CDS.exe
936	CDS.exe
936	CDS.exe
936	CDS.exe
936	CDS.exe
936	CDS.exe
936	CDS.exe
1788	crypted.exe
1788	crypted.exe
1788	crypted.exe
1760	Token_Build.exe
1760	Token_Build.exe
828	crss.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

crss.exe22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\09c32d2d0a299e9d040cc8b2a01b8e4f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\crss.exe\" .."	crss.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\09c32d2d0a299e9d040cc8b2a01b8e4f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\crss.exe\" .."	crss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1816 464 WerFault.exe Token Build.exe

pid	pid_target	process	target process
1816	464	WerFault.exe	Token Build.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Token Build.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Token Build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Token Build.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CDS.exe

pid process

936 CDS.exe
936 CDS.exe

pid	process
936	CDS.exe
936	CDS.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AUDIODG.EXEToken Build.execrss.exe

description	pid	process
Token: 33	1128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1128	AUDIODG.EXE
Token: 33	1128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1128	AUDIODG.EXE
Token: SeDebugPrivilege	464	Token Build.exe
Token: SeDebugPrivilege	828	crss.exe
Token: 33	828	crss.exe
Token: SeIncBasePriorityPrivilege	828	crss.exe
Token: 33	828	crss.exe
Token: SeIncBasePriorityPrivilege	828	crss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CDS.exe

pid process

936 CDS.exe
936 CDS.exe

pid	process
936	CDS.exe
936	CDS.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exeCDS.execrypted.exeToken_Build.exeToken Build.execrss.exe

description	pid	process	target process
PID 1420 wrote to memory of 936	1420	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe	CDS.exe
PID 1420 wrote to memory of 936	1420	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe	CDS.exe
PID 1420 wrote to memory of 936	1420	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe	CDS.exe
PID 1420 wrote to memory of 936	1420	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe	CDS.exe
PID 1420 wrote to memory of 936	1420	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe	CDS.exe
PID 1420 wrote to memory of 936	1420	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe	CDS.exe
PID 1420 wrote to memory of 936	1420	22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe	CDS.exe
PID 936 wrote to memory of 1788	936	CDS.exe	crypted.exe
PID 936 wrote to memory of 1788	936	CDS.exe	crypted.exe
PID 936 wrote to memory of 1788	936	CDS.exe	crypted.exe
PID 936 wrote to memory of 1788	936	CDS.exe	crypted.exe
PID 936 wrote to memory of 1788	936	CDS.exe	crypted.exe
PID 936 wrote to memory of 1788	936	CDS.exe	crypted.exe
PID 936 wrote to memory of 1788	936	CDS.exe	crypted.exe
PID 1788 wrote to memory of 464	1788	crypted.exe	Token Build.exe
PID 1788 wrote to memory of 464	1788	crypted.exe	Token Build.exe
PID 1788 wrote to memory of 464	1788	crypted.exe	Token Build.exe
PID 1788 wrote to memory of 464	1788	crypted.exe	Token Build.exe
PID 1788 wrote to memory of 464	1788	crypted.exe	Token Build.exe
PID 1788 wrote to memory of 464	1788	crypted.exe	Token Build.exe
PID 1788 wrote to memory of 464	1788	crypted.exe	Token Build.exe
PID 1788 wrote to memory of 1760	1788	crypted.exe	Token_Build.exe
PID 1788 wrote to memory of 1760	1788	crypted.exe	Token_Build.exe
PID 1788 wrote to memory of 1760	1788	crypted.exe	Token_Build.exe
PID 1788 wrote to memory of 1760	1788	crypted.exe	Token_Build.exe
PID 1788 wrote to memory of 1760	1788	crypted.exe	Token_Build.exe
PID 1788 wrote to memory of 1760	1788	crypted.exe	Token_Build.exe
PID 1788 wrote to memory of 1760	1788	crypted.exe	Token_Build.exe
PID 1760 wrote to memory of 828	1760	Token_Build.exe	crss.exe
PID 1760 wrote to memory of 828	1760	Token_Build.exe	crss.exe
PID 1760 wrote to memory of 828	1760	Token_Build.exe	crss.exe
PID 1760 wrote to memory of 828	1760	Token_Build.exe	crss.exe
PID 1760 wrote to memory of 828	1760	Token_Build.exe	crss.exe
PID 1760 wrote to memory of 828	1760	Token_Build.exe	crss.exe
PID 1760 wrote to memory of 828	1760	Token_Build.exe	crss.exe
PID 464 wrote to memory of 1816	464	Token Build.exe	WerFault.exe
PID 464 wrote to memory of 1816	464	Token Build.exe	WerFault.exe
PID 464 wrote to memory of 1816	464	Token Build.exe	WerFault.exe
PID 464 wrote to memory of 1816	464	Token Build.exe	WerFault.exe
PID 464 wrote to memory of 1816	464	Token Build.exe	WerFault.exe
PID 828 wrote to memory of 1952	828	crss.exe	netsh.exe
PID 828 wrote to memory of 1952	828	crss.exe	netsh.exe
PID 828 wrote to memory of 1952	828	crss.exe	netsh.exe
PID 828 wrote to memory of 1952	828	crss.exe	netsh.exe
PID 828 wrote to memory of 1952	828	crss.exe	netsh.exe
PID 828 wrote to memory of 1952	828	crss.exe	netsh.exe
PID 828 wrote to memory of 1952	828	crss.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe
"C:\Users\Admin\AppData\Local\Temp\22a54b44940c863a3d5ecab8a0c0db9adca5cabb209f39fde2a5d2d4467869f8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Roaming\Token_Build.exe
"C:\Users\Admin\AppData\Roaming\Token_Build.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\crss.exe
"C:\Users\Admin\AppData\Local\Temp\crss.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\crss.exe" "crss.exe" ENABLE
6⤵
PID:1952

C:\Users\Admin\AppData\Roaming\Token Build.exe
"C:\Users\Admin\AppData\Roaming\Token Build.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 464 -s 1500
5⤵
- Program crash
PID:1816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
Filesize
53KB

MD5
f59a3f249546f6364164a92de882e126

SHA1
bbd36f6fc13d13c16d5d3f0567322be5c14698ba

SHA256
0d6730a8d16c8e1f31dbdcbea32a17ffb9e59356137863dffc852dcb7bdf726f

SHA512
14f8b6e7737acaf229ae8d5e7c47a40d1466d92ccd1be17ebf4176f783591f27504dfba5cd3e5b2feadfb787788fdd038d7e3fdbb48be723b31245b3167ee1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
53KB

MD5
9ba8b7790a9c9ef4f086215e811d8249

SHA1
69f30d6bb7e5f2bc01a1eaae8c18b0ccce06d936

SHA256
fc10cbd3e1d997f933070bc7877b579af19d972f1617694f8bcb2eb25e9073db

SHA512
1b1ca5f3d200f946c72680e2d1fa1c290990fdd99fa47ce6a9600a6fe043eb8b7e06c44bdf6eb47a469444c811ac6cb2dfb5949b2c163c35d0f141c0fd69cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
53KB

MD5
9ba8b7790a9c9ef4f086215e811d8249

SHA1
69f30d6bb7e5f2bc01a1eaae8c18b0ccce06d936

SHA256
fc10cbd3e1d997f933070bc7877b579af19d972f1617694f8bcb2eb25e9073db

SHA512
1b1ca5f3d200f946c72680e2d1fa1c290990fdd99fa47ce6a9600a6fe043eb8b7e06c44bdf6eb47a469444c811ac6cb2dfb5949b2c163c35d0f141c0fd69cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\crss.exe
Filesize
32KB

MD5
35a1e677c699dfef4db97b406e01c40c

SHA1
d9ce28092a979fbaf0fdae3cb7869159efa6c867

SHA256
5019177add4d0b65e09f3583d9e756375e90f09db56eb8154d1e92feba2e6551

SHA512
c90feca40ed1be1137c2f088e0ce780d6dd7d7e690afe69589a6d35f7f63bff099315623443dc4df81b723819b3641e84107b029ad65e9f2d2b71d9cd654696e

Download Submit
C:\Users\Admin\AppData\Local\Temp\crss.exe
Filesize
32KB

MD5
35a1e677c699dfef4db97b406e01c40c

SHA1
d9ce28092a979fbaf0fdae3cb7869159efa6c867

SHA256
5019177add4d0b65e09f3583d9e756375e90f09db56eb8154d1e92feba2e6551

SHA512
c90feca40ed1be1137c2f088e0ce780d6dd7d7e690afe69589a6d35f7f63bff099315623443dc4df81b723819b3641e84107b029ad65e9f2d2b71d9cd654696e

Download Submit
C:\Users\Admin\AppData\Roaming\Token Build.exe
Filesize
10KB

MD5
0bddd624c6431347244773434b9bdec2

SHA1
00b0c2d9372665983208d0a031197f9a946641d7

SHA256
1d2985dbeac7ad0b3d309345e054d98320f7178c00d1a27346e6ea829c229282

SHA512
a18dbc855edaae6ecbb1cc137014c0822778b1ef3763665ae192c97eb9eeab5d9fecdd3a296f982a9e002c651b554bc101ba3b7ff400843e9e714dcbc3c8d7e2

Download Submit
C:\Users\Admin\AppData\Roaming\Token Build.exe
Filesize
10KB

MD5
0bddd624c6431347244773434b9bdec2

SHA1
00b0c2d9372665983208d0a031197f9a946641d7

SHA256
1d2985dbeac7ad0b3d309345e054d98320f7178c00d1a27346e6ea829c229282

SHA512
a18dbc855edaae6ecbb1cc137014c0822778b1ef3763665ae192c97eb9eeab5d9fecdd3a296f982a9e002c651b554bc101ba3b7ff400843e9e714dcbc3c8d7e2

Download Submit
C:\Users\Admin\AppData\Roaming\Token_Build.exe
Filesize
32KB

MD5
35a1e677c699dfef4db97b406e01c40c

SHA1
d9ce28092a979fbaf0fdae3cb7869159efa6c867

SHA256
5019177add4d0b65e09f3583d9e756375e90f09db56eb8154d1e92feba2e6551

SHA512
c90feca40ed1be1137c2f088e0ce780d6dd7d7e690afe69589a6d35f7f63bff099315623443dc4df81b723819b3641e84107b029ad65e9f2d2b71d9cd654696e

Download Submit
C:\Users\Admin\AppData\Roaming\Token_Build.exe
Filesize
32KB

MD5
35a1e677c699dfef4db97b406e01c40c

SHA1
d9ce28092a979fbaf0fdae3cb7869159efa6c867

SHA256
5019177add4d0b65e09f3583d9e756375e90f09db56eb8154d1e92feba2e6551

SHA512
c90feca40ed1be1137c2f088e0ce780d6dd7d7e690afe69589a6d35f7f63bff099315623443dc4df81b723819b3641e84107b029ad65e9f2d2b71d9cd654696e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
53KB

MD5
9ba8b7790a9c9ef4f086215e811d8249

SHA1
69f30d6bb7e5f2bc01a1eaae8c18b0ccce06d936

SHA256
fc10cbd3e1d997f933070bc7877b579af19d972f1617694f8bcb2eb25e9073db

SHA512
1b1ca5f3d200f946c72680e2d1fa1c290990fdd99fa47ce6a9600a6fe043eb8b7e06c44bdf6eb47a469444c811ac6cb2dfb5949b2c163c35d0f141c0fd69cc43

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
53KB

MD5
9ba8b7790a9c9ef4f086215e811d8249

SHA1
69f30d6bb7e5f2bc01a1eaae8c18b0ccce06d936

SHA256
fc10cbd3e1d997f933070bc7877b579af19d972f1617694f8bcb2eb25e9073db

SHA512
1b1ca5f3d200f946c72680e2d1fa1c290990fdd99fa47ce6a9600a6fe043eb8b7e06c44bdf6eb47a469444c811ac6cb2dfb5949b2c163c35d0f141c0fd69cc43

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
53KB

MD5
9ba8b7790a9c9ef4f086215e811d8249

SHA1
69f30d6bb7e5f2bc01a1eaae8c18b0ccce06d936

SHA256
fc10cbd3e1d997f933070bc7877b579af19d972f1617694f8bcb2eb25e9073db

SHA512
1b1ca5f3d200f946c72680e2d1fa1c290990fdd99fa47ce6a9600a6fe043eb8b7e06c44bdf6eb47a469444c811ac6cb2dfb5949b2c163c35d0f141c0fd69cc43

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
53KB

MD5
9ba8b7790a9c9ef4f086215e811d8249

SHA1
69f30d6bb7e5f2bc01a1eaae8c18b0ccce06d936

SHA256
fc10cbd3e1d997f933070bc7877b579af19d972f1617694f8bcb2eb25e9073db

SHA512
1b1ca5f3d200f946c72680e2d1fa1c290990fdd99fa47ce6a9600a6fe043eb8b7e06c44bdf6eb47a469444c811ac6cb2dfb5949b2c163c35d0f141c0fd69cc43

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
53KB

MD5
9ba8b7790a9c9ef4f086215e811d8249

SHA1
69f30d6bb7e5f2bc01a1eaae8c18b0ccce06d936

SHA256
fc10cbd3e1d997f933070bc7877b579af19d972f1617694f8bcb2eb25e9073db

SHA512
1b1ca5f3d200f946c72680e2d1fa1c290990fdd99fa47ce6a9600a6fe043eb8b7e06c44bdf6eb47a469444c811ac6cb2dfb5949b2c163c35d0f141c0fd69cc43

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
53KB

MD5
9ba8b7790a9c9ef4f086215e811d8249

SHA1
69f30d6bb7e5f2bc01a1eaae8c18b0ccce06d936

SHA256
fc10cbd3e1d997f933070bc7877b579af19d972f1617694f8bcb2eb25e9073db

SHA512
1b1ca5f3d200f946c72680e2d1fa1c290990fdd99fa47ce6a9600a6fe043eb8b7e06c44bdf6eb47a469444c811ac6cb2dfb5949b2c163c35d0f141c0fd69cc43

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
\Users\Admin\AppData\Local\Temp\crss.exe
Filesize
32KB

MD5
35a1e677c699dfef4db97b406e01c40c

SHA1
d9ce28092a979fbaf0fdae3cb7869159efa6c867

SHA256
5019177add4d0b65e09f3583d9e756375e90f09db56eb8154d1e92feba2e6551

SHA512
c90feca40ed1be1137c2f088e0ce780d6dd7d7e690afe69589a6d35f7f63bff099315623443dc4df81b723819b3641e84107b029ad65e9f2d2b71d9cd654696e

Download Submit
\Users\Admin\AppData\Local\Temp\crss.exe
Filesize
32KB

MD5
35a1e677c699dfef4db97b406e01c40c

SHA1
d9ce28092a979fbaf0fdae3cb7869159efa6c867

SHA256
5019177add4d0b65e09f3583d9e756375e90f09db56eb8154d1e92feba2e6551

SHA512
c90feca40ed1be1137c2f088e0ce780d6dd7d7e690afe69589a6d35f7f63bff099315623443dc4df81b723819b3641e84107b029ad65e9f2d2b71d9cd654696e

Download Submit
\Users\Admin\AppData\Roaming\Token Build.exe
Filesize
10KB

MD5
0bddd624c6431347244773434b9bdec2

SHA1
00b0c2d9372665983208d0a031197f9a946641d7

SHA256
1d2985dbeac7ad0b3d309345e054d98320f7178c00d1a27346e6ea829c229282

SHA512
a18dbc855edaae6ecbb1cc137014c0822778b1ef3763665ae192c97eb9eeab5d9fecdd3a296f982a9e002c651b554bc101ba3b7ff400843e9e714dcbc3c8d7e2

Download Submit
\Users\Admin\AppData\Roaming\Token_Build.exe
Filesize
32KB

MD5
35a1e677c699dfef4db97b406e01c40c

SHA1
d9ce28092a979fbaf0fdae3cb7869159efa6c867

SHA256
5019177add4d0b65e09f3583d9e756375e90f09db56eb8154d1e92feba2e6551

SHA512
c90feca40ed1be1137c2f088e0ce780d6dd7d7e690afe69589a6d35f7f63bff099315623443dc4df81b723819b3641e84107b029ad65e9f2d2b71d9cd654696e

Download Submit
\Users\Admin\AppData\Roaming\Token_Build.exe
Filesize
32KB

MD5
35a1e677c699dfef4db97b406e01c40c

SHA1
d9ce28092a979fbaf0fdae3cb7869159efa6c867

SHA256
5019177add4d0b65e09f3583d9e756375e90f09db56eb8154d1e92feba2e6551

SHA512
c90feca40ed1be1137c2f088e0ce780d6dd7d7e690afe69589a6d35f7f63bff099315623443dc4df81b723819b3641e84107b029ad65e9f2d2b71d9cd654696e

Download Submit
memory/464-80-0x0000000000000000-mapping.dmp

Download
memory/464-89-0x00000000012B0000-0x00000000012B8000-memory.dmp

Filesize
32KB

Download
memory/828-92-0x0000000000000000-mapping.dmp

Download
memory/828-97-0x0000000072F80000-0x000000007352B000-memory.dmp

Filesize
5.7MB

Download
memory/936-56-0x0000000000000000-mapping.dmp

Download
memory/1420-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/1760-90-0x0000000072F80000-0x000000007352B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-83-0x0000000000000000-mapping.dmp

Download
memory/1788-73-0x0000000000000000-mapping.dmp

Download
memory/1788-78-0x0000000072F80000-0x000000007352B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-98-0x0000000000000000-mapping.dmp

Download
memory/1952-99-0x0000000000000000-mapping.dmp

Download