njrat | a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc

Analysis

max time kernel
154s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Size

663KB
MD5

e4df57bd77bee2f9c9e3ea85d9140cc7
SHA1

a382fdddc8b9c47d57878c8e3a24bd991400a76b
SHA256

a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc
SHA512

81c8414cb0abef54c40a62ba9fca850d3d1bd6a71296979a36e9db4a340b42cf1d9225997317db9e1b56a9f51f82f18d109a6b73171ab1306d7120a97e7cde26
SSDEEP

12288:huk4uHbAxQCDsAePggw38ZFjejph6YKg4Mk0V/hDix9WE3QqH3csD4z:hJt7AGMExw38ZFjejph6YKg4MLC33csW

Score

10^/10

njrat hacked evasion persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

198.54.133.72:59249

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

KernelUpdate1.exeKernelUpdate2.exejuscheduler.exeVisualUpdater-Text.exejuscheduler-2.exeVisualStudioUpdaterTmp.exeServer.exeServer.exe

pid	process
1336	KernelUpdate1.exe
2392	KernelUpdate2.exe
528	juscheduler.exe
4496	VisualUpdater-Text.exe
3984	juscheduler-2.exe
1280	VisualStudioUpdaterTmp.exe
1132	Server.exe
1788	Server.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

KernelUpdate2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CompleteResolve.tiff.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\RestartAdd.crw.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\SetWrite.crw.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallRename.png.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\WaitShow.crw.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToInvoke.png.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\DebugEnable.crw.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureDeny.raw.Cry	KernelUpdate2.exe
File opened for modification	C:\Users\Admin\Pictures\OutStop.raw.Cry	KernelUpdate2.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe	vmprotect
behavioral2/memory/3984-163-0x0000000000410000-0x0000000000488000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

Drops startup file 4 IoCs

Processes:

KernelUpdate2.exeKernelUpdate1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qRERbdKw22juwi2Y.exe	KernelUpdate2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	KernelUpdate1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	KernelUpdate1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qRERbdKw22juwi2Y.exe	KernelUpdate2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KernelUpdate1.exeHEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KernelUpdate1.exe\" .."	KernelUpdate1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe"	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\KernelUpdate1.exe\" .."	KernelUpdate1.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 api64.ipify.org
44 ip-api.com
20 api64.ipify.org

flow	ioc
21	api64.ipify.org
44	ip-api.com
20	api64.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

KernelUpdate2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cry.img"	KernelUpdate2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3148 2680 WerFault.exe HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4892 schtasks.exe

pid	pid_target	process	target process
3148	2680	WerFault.exe	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

pid	process
4892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exejuscheduler.exe

pid	process
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
528	juscheduler.exe
528	juscheduler.exe
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

KernelUpdate1.exeServer.exe

pid process

1336 KernelUpdate1.exe
1132 Server.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exeKernelUpdate1.exeKernelUpdate2.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
Token: SeDebugPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: SeDebugPrivilege	2392	KernelUpdate2.exe
Token: SeBackupPrivilege	4356	vssvc.exe
Token: SeRestorePrivilege	4356	vssvc.exe
Token: SeAuditPrivilege	4356	vssvc.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe
Token: 33	1336	KernelUpdate1.exe
Token: SeIncBasePriorityPrivilege	1336	KernelUpdate1.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.execmd.exeKernelUpdate1.exe

description	pid	process	target process
PID 2680 wrote to memory of 1336	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 2680 wrote to memory of 1336	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 2680 wrote to memory of 1336	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate1.exe
PID 2680 wrote to memory of 2392	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate2.exe
PID 2680 wrote to memory of 2392	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	KernelUpdate2.exe
PID 2680 wrote to memory of 4792	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	cmd.exe
PID 2680 wrote to memory of 4792	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	cmd.exe
PID 2680 wrote to memory of 4792	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	cmd.exe
PID 4792 wrote to memory of 528	4792	cmd.exe	juscheduler.exe
PID 4792 wrote to memory of 528	4792	cmd.exe	juscheduler.exe
PID 4792 wrote to memory of 528	4792	cmd.exe	juscheduler.exe
PID 1336 wrote to memory of 4892	1336	KernelUpdate1.exe	schtasks.exe
PID 1336 wrote to memory of 4892	1336	KernelUpdate1.exe	schtasks.exe
PID 1336 wrote to memory of 4892	1336	KernelUpdate1.exe	schtasks.exe
PID 2680 wrote to memory of 4496	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 2680 wrote to memory of 4496	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 2680 wrote to memory of 4496	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualUpdater-Text.exe
PID 2680 wrote to memory of 3984	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	juscheduler-2.exe
PID 2680 wrote to memory of 3984	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	juscheduler-2.exe
PID 2680 wrote to memory of 1280	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualStudioUpdaterTmp.exe
PID 2680 wrote to memory of 1280	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	VisualStudioUpdaterTmp.exe
PID 2680 wrote to memory of 3028	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	netsh.exe
PID 2680 wrote to memory of 3028	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	netsh.exe
PID 2680 wrote to memory of 3028	2680	HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-a66b1473c334a14386db0e41b0c3eaf394370c9a38491f065ad46205a3805efc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe
"C:\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
3⤵
- Creates scheduled task(s)
PID:4892

C:\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe
"C:\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C juscheduler /D
2⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\juscheduler.exe
juscheduler /D
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:528

C:\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe
"C:\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe"
2⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe
"C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe"
2⤵
- Executes dropped EXE
PID:3984

C:\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe
"C:\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe" -f json
2⤵
- Executes dropped EXE
PID:1280

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
2⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 2624
2⤵
- Program crash
PID:3148

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2680 -ip 2680
1⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log
Filesize
408B

MD5
42157868488d3ef98c00e3fa12f064be

SHA1
aad391be9ac3f6ce1ced49583690486a5f4186fb

SHA256
b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c

SHA512
8f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaLog714.txt
Filesize
24B

MD5
6ddac8dbf280190fda6f9ecc3167f804

SHA1
492ddc39d5467c84fa2a6e12a8dcf943cf4e2150

SHA256
e0d3567dc1fc114253fc66724b5e226ff1907a767abef8f684e3b7359719ab55

SHA512
77dafbba153b620ea5fced1d91dee2c9fbe80a5ac555929d2cf5c023a931dbd2a980cb719d28652779f9e785e45b772f98270ac7737f403e691fb0e2642789ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\KernelUpdate1.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe
Filesize
213KB

MD5
93f60615483ac2d688014fb8abb49493

SHA1
a9e62e660df816b144eedf50634f79bad4ae5aaa

SHA256
e8a21b70b0c351d344ff21ac0c90a1d1473baeb5448c75a93fc892627d63481e

SHA512
195ab59e26050c8d9d00778556a30e76a88e69f625041623e74c56fbf226383ce3fc41d0c7a93fbed9a13f1399d4491e4c38e30f6452653f6518f69b23dfa202

Download Submit
C:\Users\Admin\AppData\Local\Temp\KernelUpdate2.exe
Filesize
213KB

MD5
93f60615483ac2d688014fb8abb49493

SHA1
a9e62e660df816b144eedf50634f79bad4ae5aaa

SHA256
e8a21b70b0c351d344ff21ac0c90a1d1473baeb5448c75a93fc892627d63481e

SHA512
195ab59e26050c8d9d00778556a30e76a88e69f625041623e74c56fbf226383ce3fc41d0c7a93fbed9a13f1399d4491e4c38e30f6452653f6518f69b23dfa202

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
08217ec28a87d1311d51fb77d5eea37e

SHA1
d689cf420858c8fa2a2b819e6e62272c149b0fef

SHA256
7b11cf9dec3d302762fad7170f6d901ff1512f41c62ffc4d29c6122a5b7440e4

SHA512
8184eebc9e045a7c24726c25e63a5c45bfe538fb7a5979d9a0162818af181019919d0718320bfb9309036f9790823b05be98c4101388a2202f1598e247deb743

Download Submit
C:\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe
Filesize
5.8MB

MD5
b7b1d390baaf579925ec6a33b6beeec8

SHA1
5adc077b6f3bb003612bee45dde4048c0b3badf7

SHA256
1a774eda0f7432744cecdfddf9f0e6d69fa1d89cba0530928d56db6a564a4cbb

SHA512
50be590f78123b67ad8c56010e07d7f713bf86c8bc1e21d857422667fd8b2c40cd45df06bf3b88c91e18a5c1bb749df4c33a109ff18a5c783320a85d5679cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\VisualStudioUpdaterTmp.exe
Filesize
5.8MB

MD5
b7b1d390baaf579925ec6a33b6beeec8

SHA1
5adc077b6f3bb003612bee45dde4048c0b3badf7

SHA256
1a774eda0f7432744cecdfddf9f0e6d69fa1d89cba0530928d56db6a564a4cbb

SHA512
50be590f78123b67ad8c56010e07d7f713bf86c8bc1e21d857422667fd8b2c40cd45df06bf3b88c91e18a5c1bb749df4c33a109ff18a5c783320a85d5679cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe
Filesize
287KB

MD5
46ba1202b6647cd0c5f4313074521505

SHA1
0fd9cabf93ec4adf41837630c689399d5a0480bc

SHA256
2df6b0ff15250c330493d9ac2e4b8b69f96b80340539ba7fc66376ee6019ed74

SHA512
8c09b7bfcf8d1e09d4425d180c8ee7c623809f807508c344310f6aa70207f1163650b41b4f31af99361df41249f4aa48a098437cd65636557c100dae0433faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\VisualUpdater-Text.exe
Filesize
287KB

MD5
46ba1202b6647cd0c5f4313074521505

SHA1
0fd9cabf93ec4adf41837630c689399d5a0480bc

SHA256
2df6b0ff15250c330493d9ac2e4b8b69f96b80340539ba7fc66376ee6019ed74

SHA512
8c09b7bfcf8d1e09d4425d180c8ee7c623809f807508c344310f6aa70207f1163650b41b4f31af99361df41249f4aa48a098437cd65636557c100dae0433faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe
Filesize
269KB

MD5
0aa1ab3c5fb489bcafd94c3531b78155

SHA1
8ae2e42d5330ab4eddb9790beb17c856ad8d7b6b

SHA256
376aa36dd9b2e2615005f04e75b27a63e12f398cc3df9f4a752d26760a29635a

SHA512
8d3684b3133818f9e9d4a979e62f9fc331ec6d3b34b7e4c854459332889f44bf29f6c8f8334f5c155071d4ab1b521d88fcca38360c22e8567fe0765e1350b038

Download Submit
C:\Users\Admin\AppData\Local\Temp\juscheduler-2.exe
Filesize
269KB

MD5
0aa1ab3c5fb489bcafd94c3531b78155

SHA1
8ae2e42d5330ab4eddb9790beb17c856ad8d7b6b

SHA256
376aa36dd9b2e2615005f04e75b27a63e12f398cc3df9f4a752d26760a29635a

SHA512
8d3684b3133818f9e9d4a979e62f9fc331ec6d3b34b7e4c854459332889f44bf29f6c8f8334f5c155071d4ab1b521d88fcca38360c22e8567fe0765e1350b038

Download Submit
C:\Users\Admin\AppData\Local\Temp\juscheduler.exe
Filesize
763KB

MD5
0a50081a6cd37aea0945c91de91c5d97

SHA1
755309c6d9fa4cd13b6c867cde01cc1e0d415d00

SHA256
6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

SHA512
f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

Download Submit
C:\Users\Admin\AppData\Local\Temp\juscheduler.exe
Filesize
763KB

MD5
0a50081a6cd37aea0945c91de91c5d97

SHA1
755309c6d9fa4cd13b6c867cde01cc1e0d415d00

SHA256
6606d759667fbdfaa46241db7ffb4839d2c47b88a20120446f41e916cad77d0b

SHA512
f0a4e9a3dc065df2182527b17077c822d4535db86bf61f5ee795ee469b15159560a8e81e60d3037f3de1bb38e92f0fc8a422c2656882650d699e2b96948f9846

Download Submit
C:\Users\Admin\AppData\Local\Temp\mat-debug8787.txt
Filesize
24B

MD5
6ddac8dbf280190fda6f9ecc3167f804

SHA1
492ddc39d5467c84fa2a6e12a8dcf943cf4e2150

SHA256
e0d3567dc1fc114253fc66724b5e226ff1907a767abef8f684e3b7359719ab55

SHA512
77dafbba153b620ea5fced1d91dee2c9fbe80a5ac555929d2cf5c023a931dbd2a980cb719d28652779f9e785e45b772f98270ac7737f403e691fb0e2642789ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_cookie.json
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_credit.json
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_download.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_history.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\chrome_password.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\firefox_bookmark.json
Filesize
576B

MD5
0c51c7d4502f74f015b2c890d27488ee

SHA1
81a4161bbc1e2d0de14dea5775bb9f3f69077449

SHA256
9673c6d7df19e1112017a75e1bed3620cf621413903e40283850163acd29e2fc

SHA512
9a479ed45eefad4058afa54912826fe98bd98983fdebbe9a9691807d9a05304c004f2942d2e82a509ef12822e3e98e8825331dd41a631eb8c7c0d45492bde1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\firefox_cookie.json
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\firefox_download.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\firefox_history.json
Filesize
819B

MD5
6292afd08e57618985860d5517e5e09b

SHA1
ea3abe1ce8927c84b5be1a7ccbe0ccade14e5bec

SHA256
16dfc0285c4563c09b7b336cc551c9e9fefe8e2ff92bebf4dcd29e56cd2e5f56

SHA512
e75f322f79ff99e0ef2a3c8bd04feea872686ca4d9623521a0dfaa7ff67050aa9e31fb33b8084791b22be08bbb59320b82c0814e2bb86a3e196f5922536e5da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\microsoft_edge_credit.json
Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\microsoft_edge_download.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\microsoft_edge_history.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\results\microsoft_edge_password.json
Filesize
5B

MD5
674441960ca1ba2de08ad4e50c9fde98

SHA1
d910b02871075d3156ec8675dfc95b7d5d640aa6

SHA256
38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed

SHA512
f96f4e45908897091e943fce1cefceaf213ed5746b997b97187b3e6e989476132e2358b2c5af4ec8942b3c00d6f8d1273e539d1b2ea82aef6c0a92a312d88a6d

Download Submit
memory/528-147-0x0000000000000000-mapping.dmp

Download
memory/1132-189-0x000000006FE70000-0x0000000070421000-memory.dmp

Filesize
5.7MB

Download
memory/1132-173-0x000000006FE70000-0x0000000070421000-memory.dmp

Filesize
5.7MB

Download
memory/1132-174-0x000000006FE70000-0x0000000070421000-memory.dmp

Filesize
5.7MB

Download
memory/1280-168-0x0000000000000000-mapping.dmp

Download
memory/1336-151-0x000000006FE70000-0x0000000070421000-memory.dmp

Filesize
5.7MB

Download
memory/1336-144-0x000000006FE70000-0x0000000070421000-memory.dmp

Filesize
5.7MB

Download
memory/1336-136-0x0000000000000000-mapping.dmp

Download
memory/1788-194-0x000000006FE70000-0x0000000070421000-memory.dmp

Filesize
5.7MB

Download
memory/1788-195-0x000000006FE70000-0x0000000070421000-memory.dmp

Filesize
5.7MB

Download
memory/2392-145-0x00007FFA06030000-0x00007FFA06AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-142-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2392-152-0x00007FFA06030000-0x00007FFA06AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2392-139-0x0000000000000000-mapping.dmp

Download
memory/2680-132-0x00000000001C0000-0x00000000002BA000-memory.dmp

Filesize
1000KB

Download
memory/2680-188-0x0000000006000000-0x0000000006092000-memory.dmp

Filesize
584KB

Download
memory/2680-143-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/2680-135-0x0000000009540000-0x00000000095DC000-memory.dmp

Filesize
624KB

Download
memory/2680-190-0x0000000006420000-0x0000000006486000-memory.dmp

Filesize
408KB

Download
memory/3028-191-0x0000000000000000-mapping.dmp

Download
memory/3984-163-0x0000000000410000-0x0000000000488000-memory.dmp

Filesize
480KB

Download
memory/3984-165-0x00007FFA06030000-0x00007FFA06AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-166-0x00007FFA06030000-0x00007FFA06AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-160-0x0000000000000000-mapping.dmp

Download
memory/4496-156-0x00000000005F0000-0x000000000066E000-memory.dmp

Filesize
504KB

Download
memory/4496-153-0x0000000000000000-mapping.dmp

Download
memory/4792-146-0x0000000000000000-mapping.dmp

Download
memory/4892-150-0x0000000000000000-mapping.dmp

Download