neshta | 98191390feded2c9b9bea4acfc3782067624502a702e4929ab3967e1e5cc47ae

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2023 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3131321312313.exe
Size

15.0MB
MD5

504211aeace6ca8f70cc00a3215bda05
SHA1

502d5280f10f867627ed24e5dc297c3a5badcc28
SHA256

98191390feded2c9b9bea4acfc3782067624502a702e4929ab3967e1e5cc47ae
SHA512

cec60bfe8c941b18d32f6493ab1c2b784143e39577e4e5e33ecb75ba8412ff34f5e49da880c5a8482e4b30b7ed6ff095d160bf28b4866fdd1422bf2b224c6501
SSDEEP

49152:dz1B3kbWTQmYOXQB8eBVhTBUenNT9xaI/Ak3OQaa1ePdql7p3ib/fo1VOaf3sOk7:B

Score

10^/10

neshta njrat hacked persistence spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

there-carol.at.ply.gg:5855

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
behavioral2/memory/632-157-0x0000000000250000-0x0000000000D8E000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SQL.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\SQL.exe	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SQL.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\SQL.exe	Nirsoft

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3131321312313.exepaylod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	3131321312313.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	paylod.exe

Drops startup file 2 IoCs

Processes:

paylod.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 4 IoCs

Processes:

paylod.exeDangerous.exePayload.exeSQL.exe

pid process

408 paylod.exe
632 Dangerous.exe
5016 Payload.exe
4276 SQL.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
408	paylod.exe
632	Dangerous.exe
5016	Payload.exe
4276	SQL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

paylod.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	paylod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3296 632 WerFault.exe Dangerous.exe

pid	pid_target	process	target process
3296	632	WerFault.exe	Dangerous.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SQL.exe

pid process

4276 SQL.exe
4276 SQL.exe
4276 SQL.exe
4276 SQL.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe

pid	process
4276	SQL.exe
4276	SQL.exe
4276	SQL.exe
4276	SQL.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Dangerous.exePayload.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	632	Dangerous.exe
Token: SeDebugPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: SeDebugPrivilege	4244	firefox.exe
Token: SeDebugPrivilege	4244	firefox.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe
Token: 33	5016	Payload.exe
Token: SeIncBasePriorityPrivilege	5016	Payload.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4244 firefox.exe
4244 firefox.exe
4244 firefox.exe
4244 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4244 firefox.exe
4244 firefox.exe
4244 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4244 firefox.exe

pid	process
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe

pid	process
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe

pid	process
4244	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3131321312313.exepaylod.exePayload.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4692 wrote to memory of 408	4692	3131321312313.exe	paylod.exe
PID 4692 wrote to memory of 408	4692	3131321312313.exe	paylod.exe
PID 4692 wrote to memory of 408	4692	3131321312313.exe	paylod.exe
PID 4692 wrote to memory of 632	4692	3131321312313.exe	Dangerous.exe
PID 4692 wrote to memory of 632	4692	3131321312313.exe	Dangerous.exe
PID 4692 wrote to memory of 632	4692	3131321312313.exe	Dangerous.exe
PID 408 wrote to memory of 5016	408	paylod.exe	Payload.exe
PID 408 wrote to memory of 5016	408	paylod.exe	Payload.exe
PID 408 wrote to memory of 5016	408	paylod.exe	Payload.exe
PID 408 wrote to memory of 676	408	paylod.exe	attrib.exe
PID 408 wrote to memory of 676	408	paylod.exe	attrib.exe
PID 408 wrote to memory of 676	408	paylod.exe	attrib.exe
PID 5016 wrote to memory of 4276	5016	Payload.exe	SQL.exe
PID 5016 wrote to memory of 4276	5016	Payload.exe	SQL.exe
PID 5016 wrote to memory of 4276	5016	Payload.exe	SQL.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 2656 wrote to memory of 4244	2656	firefox.exe	firefox.exe
PID 4244 wrote to memory of 3328	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 3328	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 4292	4244	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

676 attrib.exe

pid	process
676	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3131321312313.exe
"C:\Users\Admin\AppData\Local\Temp\3131321312313.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\SQL.exe
C:\Users\Admin\AppData\Local\Temp\\SQL.exe /stext C:\Users\Admin\AppData\Local\Temp\FPS6TEMP10.txt
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4276

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
3⤵
- Views/modifies file attributes
PID:676

C:\Users\Admin\AppData\Local\Temp\Dangerous.exe
"C:\Users\Admin\AppData\Local\Temp\Dangerous.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 832
3⤵
- Program crash
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 632 -ip 632
1⤵
PID:2336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4244.0.1386695400\226000661" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b40ee8ff-0172-4721-bc26-812aaac1f2dc} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" 1948 23b47b18c58 gpu
3⤵
PID:3328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4244.1.2011779448\411059094" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcca1365-4264-43a0-b25c-6554cad535f3} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" 2316 23b39b71058 socket
3⤵
PID:4292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4244.2.707321563\3049870" -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2720 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12856e78-1cc4-4373-ba8a-344677173f51} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" 3168 23b4a80b858 tab
3⤵
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4244.3.1621893141\1166010375" -childID 2 -isForBrowser -prefsHandle 3408 -prefMapHandle 3484 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d347a05-61ba-44cd-abff-eff8afcfc482} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" 1112 23b39b71c58 tab
3⤵
PID:3068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4244.4.1228843200\999398997" -childID 3 -isForBrowser -prefsHandle 3976 -prefMapHandle 3972 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {722fb542-8eb9-40d2-ba5c-7e39394bb51c} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" 4004 23b4ba89e58 tab
3⤵
PID:780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4244.5.511311004\344935948" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5064 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fad8f756-4212-4a09-a098-c3aff81a6646} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" 5004 23b4cee3d58 tab
3⤵
PID:5036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4244.7.1235166160\2063360592" -childID 6 -isForBrowser -prefsHandle 5288 -prefMapHandle 5188 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f15f23c-151a-4a73-99a4-4e89c0d61d15} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" 5456 23b4d204a58 tab
3⤵
PID:4776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4244.6.112022952\158415777" -childID 5 -isForBrowser -prefsHandle 4992 -prefMapHandle 4856 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5da4ffea-f192-4eae-9c64-beb66a7c5a83} 4244 "\\.\pipe\gecko-crash-server-pipe.4244" 4988 23b4d203e58 tab
3⤵
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp
Filesize
142KB

MD5
c35f78c0672977a5ac871715479e14e3

SHA1
9e7e8742b56ac93bbcb69e8a870c35df1ac1868b

SHA256
6b7b400081ae024b0dc8aa5acea8db6ce5562ceefdf6f0a86d29ce9c3006ffa8

SHA512
87f7b56355dffd300b960d6c0937cd919e893472720638ab3cd355ef5b094c45977e86bf1dccb8fe3825ac1eec750de43421ffd9f46ce149012a62b096c0d684

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\A4BC0C99327D7691FF360F07D11373B5791EB30C
Filesize
14KB

MD5
ac5cb73f56785439c4dd3558bb6781fe

SHA1
8a3c47256ff6c50e4d3672482d955a9719bc803e

SHA256
bff051e4f371f8935e80a5eddaab70a3b93c53fb0541bc986a8c2de7332904a1

SHA512
5f1baf179fb456aa3f930d83db5aad2503c6dbe28ad8c83dcd7c0bbb461027072ecda75f0dbc1c9ab67f1ba98ea7df52a4610613bc2eb0203ebf8b09726fea0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\FPS6TEMP10.txt
Filesize
4KB

MD5
59f5e109fab5be401d6bd4ec9761b32a

SHA1
7de6b60f361f61a2e4567b2f44e5206afc6a23b0

SHA256
4829f91f7626e1917bd2882f0356c17596630efbc4883a911eb5c5b2955fb932

SHA512
10dd0784bad0d47bf9a2f1f0dcc7f0181df06474808a8104786e43c4392bcc7e3809676d5ecc95d2ce74e043fd329952b03d3efdcd905b15175cccdf385a1a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQL.exe
Filesize
353KB

MD5
a38281982740d4bcb1cb71d13508735b

SHA1
79caace31d17deb4f37c56cd8af4e3731be12324

SHA256
8ef45a1d9c797be035b17e09a7db9c07a1daf46112c910a4186ddd1048a2e222

SHA512
e615122344dddf825017f6e1123ce66419650adc2691d27f743d1f96ed81f325a2f5f23e5892384a76ff92412028940b413bec7c61454b980b1163eb7da4d2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQL.exe
Filesize
353KB

MD5
a38281982740d4bcb1cb71d13508735b

SHA1
79caace31d17deb4f37c56cd8af4e3731be12324

SHA256
8ef45a1d9c797be035b17e09a7db9c07a1daf46112c910a4186ddd1048a2e222

SHA512
e615122344dddf825017f6e1123ce66419650adc2691d27f743d1f96ed81f325a2f5f23e5892384a76ff92412028940b413bec7c61454b980b1163eb7da4d2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
5046027d76193c47eda704613363b0eb

SHA1
28c68cb8c0f41137f06c21de64edb17dfe932f66

SHA256
82c84773cea056f85ac4c36f99174a9f27d19cc1ff8cd01bd64b5c062a7a7150

SHA512
d996df4461ee3039b1344881fb606fb6f257f5b60b7d0c5917564ffc4dc80c0747f022195a12beb442d8da77aed44ec3c4e2016b7d8a791c821b0350c1d7c918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
c2029e31e25647730597ac950c8d6ae5

SHA1
02a4822c6621db10757690b91b31e489f372d462

SHA256
00cb0e919469efaf29695f0acac304bffc05b269c957f9baefb8e5dbddafef92

SHA512
10a57bd1f36a1c2d3e39a374f13e4e3ad26df448f24f5d1248e8bab267b8cb797fc03862e67fcfbcae5916b775b73be127b0e23cd8baeca3eb5850a9e7cc3121

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
875848e93a571bba7d6cb839bbaa0c27

SHA1
fcfc80035c3e6535bd1ac95c7fd51c7c30e94be0

SHA256
754a0238c8a556f285341f1671a33724d06e0158fdef1a71e4aa8328954810a5

SHA512
c19b762ff193280673172e4aa67de95b377eecf677b243d9c7b0fed0c2ef74087ca94208ed243200e950c5614ae67492922a8783524222b43feab65a3808ecf6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
57f325f4fcdb5a3b87b01e600ae87128

SHA1
72627cedfac1f9b3215d12bf305ce817ca280619

SHA256
0b6ae88fd51da35414838c05e3bb008daa724aada4a2b6496bc6b60866dbd1b3

SHA512
0112d0602bed11ba3b0d584031faa9555ed18f1e5005351190c63362a4cfd6e4379392638e7df4a74d00666d2b3f080845bc7e503bf2ef6595eadbd783d1122f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
8KB

MD5
96d53fd4b2b888484cb85ef35435c89a

SHA1
cdf188afe4439df1247b6dd8900a862be5d93dd3

SHA256
27be061418ff03867cceffabd7b4ee55695c08ff8b41c4882bf48f27b6e489c7

SHA512
4a23243d9721a6a06562adf713075b7b2700f302c4d44c89257e887a3cddcc0cacbcc17c91a661334545e64158b8fe754166a67a041c30f1f612bf6455c4f1d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
bcfd1786953d7aebb8ee1ecb076810ce

SHA1
57adc6e69e867546425ce180410d0d8d646828f7

SHA256
c218db7575bbb20b09d6cc7025f395ed130dd07d9a6801964d208eff86243e1a

SHA512
1db9aaa65cb6af729f4c089b2d12594c715c6b457e72f53b9b815c0ff5cdbdb9bfb25adc0d10d5c8b2d406670145e1ca40d8c455cd8e972929d305f1779e8a69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
37f84a0b47d5b7b03a0424537cffbcbb

SHA1
46f8175aef2493e04ee5b93370dc6109180b0e84

SHA256
0dc5a798873ca9cc8b46e7093e087eeb2f46b7d2e5742640c37781e0ad0b1c3b

SHA512
d142cc587f27334c70efaac263a588961f28337c28040377c855beda7a58ea78c0ff19968c010af96a2d6b7964c3d708a0f8f3c5206837c9c45ca9c4a54d8b44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
58ef536d70969b08324e25a239ec24b9

SHA1
6d3401f2247b8e647b5b204f301f4af68ca5e0fb

SHA256
de5af860ab56d9c45564768ef6654aafed385d594e8f3f0e07eb1964f1b31da2

SHA512
43b735ea7f1fd4a3aa48999ee3de41d01f5aea87df96f11f0da58173c048e4efd6829078c6e997b63697ab6091dbeb4f870bfd7e48b03715f85389e0de8a3f88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
472KB

MD5
978830491e37a8e5b0e53cf8ea69e305

SHA1
03cf480bcaeab54839186f49ffe847e766d1b662

SHA256
ece0bf4d0f59a3640db9db4cc394f25cfd6f79b43d730ded7f5cfcfd2fa71f81

SHA512
d928f938cfbddd294f77e26a6582b41deb40996e2ce4e7fa964bd3c343a88e670973017044212ce3f0af037cc6016a522c65c541a590b18539342bc6fea00ad6

Download Submit
memory/408-162-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/408-145-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/632-159-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/632-160-0x0000000005960000-0x00000000059FC000-memory.dmp

Filesize
624KB

Download
memory/632-158-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/632-157-0x0000000000250000-0x0000000000D8E000-memory.dmp

Filesize
11.2MB

Download
memory/632-161-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/4692-133-0x0000000001940000-0x0000000001950000-memory.dmp

Filesize
64KB

Download
memory/5016-177-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/5016-176-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/5016-179-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/5016-178-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download