njrat | e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5932E512FCA596DE1FA5774A45744D81.exe
Size

1.3MB
MD5

5932e512fca596de1fa5774a45744d81
SHA1

c4d113bdc52299a7747a6583fce8b4e0b84d9b44
SHA256

e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551
SHA512

caf150d5fe779167c8f1db3de3ffe0c379d3ca1c4bee3ad95cdae12cdf9323fe4bff8c2b80b3607125fc9b3fa4bd35f4faa0d0669d505c7f3f1533dc139f0204
SSDEEP

24576:b255Z6Cl6D/NkA+oRQkXAhaAOiMmY3DJYv2crSxYu:Gn6Clc1kApRNQvOiMP82cGe

Score

10^/10

njrat xworm lox evasion persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Lox

127.0.0.1:27486

Mutex

Defender.exe

Attributes

reg_key
Defender.exe
splitter
|Ghost|

Extracted

Family

njrat

Version

im523

Botnet

lox

structure-tour.at.ply.gg:27475

Mutex

90e01f40b77fe25a11d52d46dae82c17

Attributes

reg_key
90e01f40b77fe25a11d52d46dae82c17
splitter
|'|'|

Extracted

Family

xworm

programs-scsi.at.ply.gg:27411

Mutex

aXYuuqEq64Zy3vMn

Attributes

install_file
USB.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
5028	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	5932E512FCA596DE1FA5774A45744D81.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	New Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe	Defender.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.url	Defender.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e01f40b77fe25a11d52d46dae82c17.exe	svh0stt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e01f40b77fe25a11d52d46dae82c17.exe	svh0stt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe	Defender.exe

Executes dropped EXE 7 IoCs

pid	Process
4900	New Client.exe
4376	svchost.exe
2480	XClient.exe
3916	Defender.exe
4456	svh0stt.exe
3864	Defender.exe
1592	Defender.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defender.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Defender.exe\" .."	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Defender.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Defender.exe\" .."	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90e01f40b77fe25a11d52d46dae82c17 = "\"C:\\Windows\\svh0stt.exe\" .."	svh0stt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\90e01f40b77fe25a11d52d46dae82c17 = "\"C:\\Windows\\svh0stt.exe\" .."	svh0stt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	svh0stt.exe
File opened for modification	F:\autorun.inf	svh0stt.exe
File created	C:\autorun.inf	svh0stt.exe
File opened for modification	C:\autorun.inf	svh0stt.exe
File created	D:\autorun.inf	svh0stt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1416	5932E512FCA596DE1FA5774A45744D81.exe
1416	5932E512FCA596DE1FA5774A45744D81.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svh0stt.exe	svchost.exe
File opened for modification	C:\Windows\svh0stt.exe	svh0stt.exe
File created	C:\Windows\svh0stt.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5000	schtasks.exe
3936	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
460	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	5932E512FCA596DE1FA5774A45744D81.exe
1416	5932E512FCA596DE1FA5774A45744D81.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe
4900	New Client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4456	svh0stt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	XClient.exe
Token: SeDebugPrivilege	4900	New Client.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	3916	Defender.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2480	XClient.exe
Token: SeDebugPrivilege	4456	svh0stt.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: SeDebugPrivilege	3864	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: SeDebugPrivilege	1592	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe
Token: 33	3916	Defender.exe
Token: SeIncBasePriorityPrivilege	3916	Defender.exe
Token: 33	4456	svh0stt.exe
Token: SeIncBasePriorityPrivilege	4456	svh0stt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1416	5932E512FCA596DE1FA5774A45744D81.exe
2480	XClient.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4900	1416	5932E512FCA596DE1FA5774A45744D81.exe	79
PID 1416 wrote to memory of 4900	1416	5932E512FCA596DE1FA5774A45744D81.exe	79
PID 1416 wrote to memory of 4900	1416	5932E512FCA596DE1FA5774A45744D81.exe	79
PID 1416 wrote to memory of 4376	1416	5932E512FCA596DE1FA5774A45744D81.exe	80
PID 1416 wrote to memory of 4376	1416	5932E512FCA596DE1FA5774A45744D81.exe	80
PID 1416 wrote to memory of 4376	1416	5932E512FCA596DE1FA5774A45744D81.exe	80
PID 1416 wrote to memory of 2480	1416	5932E512FCA596DE1FA5774A45744D81.exe	81
PID 1416 wrote to memory of 2480	1416	5932E512FCA596DE1FA5774A45744D81.exe	81
PID 2480 wrote to memory of 780	2480	XClient.exe	83
PID 2480 wrote to memory of 780	2480	XClient.exe	83
PID 2480 wrote to memory of 4092	2480	XClient.exe	85
PID 2480 wrote to memory of 4092	2480	XClient.exe	85
PID 4900 wrote to memory of 3916	4900	New Client.exe	87
PID 4900 wrote to memory of 3916	4900	New Client.exe	87
PID 4900 wrote to memory of 3916	4900	New Client.exe	87
PID 4900 wrote to memory of 2188	4900	New Client.exe	88
PID 4900 wrote to memory of 2188	4900	New Client.exe	88
PID 4900 wrote to memory of 2188	4900	New Client.exe	88
PID 4376 wrote to memory of 4456	4376	svchost.exe	89
PID 4376 wrote to memory of 4456	4376	svchost.exe	89
PID 4376 wrote to memory of 4456	4376	svchost.exe	89
PID 2480 wrote to memory of 352	2480	XClient.exe	91
PID 2480 wrote to memory of 352	2480	XClient.exe	91
PID 2188 wrote to memory of 4360	2188	cmd.exe	93
PID 2188 wrote to memory of 4360	2188	cmd.exe	93
PID 2188 wrote to memory of 4360	2188	cmd.exe	93
PID 2480 wrote to memory of 5000	2480	XClient.exe	94
PID 2480 wrote to memory of 5000	2480	XClient.exe	94
PID 4456 wrote to memory of 5028	4456	svh0stt.exe	96
PID 4456 wrote to memory of 5028	4456	svh0stt.exe	96
PID 4456 wrote to memory of 5028	4456	svh0stt.exe	96
PID 3916 wrote to memory of 2736	3916	Defender.exe	98
PID 3916 wrote to memory of 2736	3916	Defender.exe	98
PID 3916 wrote to memory of 2736	3916	Defender.exe	98
PID 3916 wrote to memory of 3936	3916	Defender.exe	100
PID 3916 wrote to memory of 3936	3916	Defender.exe	100
PID 3916 wrote to memory of 3936	3916	Defender.exe	100
PID 2480 wrote to memory of 1620	2480	XClient.exe	102
PID 2480 wrote to memory of 1620	2480	XClient.exe	102
PID 2480 wrote to memory of 532	2480	XClient.exe	104
PID 2480 wrote to memory of 532	2480	XClient.exe	104
PID 532 wrote to memory of 460	532	cmd.exe	106
PID 532 wrote to memory of 460	532	cmd.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5932E512FCA596DE1FA5774A45744D81.exe
"C:\Users\Admin\AppData\Local\Temp\5932E512FCA596DE1FA5774A45744D81.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\New Client.exe
  "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Roaming\Defender.exe
    "C:\Users\Admin\AppData\Roaming\Defender.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\Defender.exe
      4⤵
      Creates scheduled task(s)
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 5
      4⤵
      PID:4360
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\svh0stt.exe
    "C:\Windows\svh0stt.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svh0stt.exe" "svh0stt.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:5028
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:352
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5000
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
    3⤵
    PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DD4.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:460

C:\Users\Admin\AppData\Roaming\Defender.exe
C:\Users\Admin\AppData\Roaming\Defender.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Users\Admin\AppData\Roaming\Defender.exe
C:\Users\Admin\AppData\Roaming\Defender.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Defender.exe.log

Filesize
319B

MD5
8feef304777dfe95294f842d6d9a3852

SHA1
9f34db8c6647b7edfe8f4618eab53fc6a6161ea7

SHA256
829510e85c0787bb7a291b85b9f38d1e7c122cf07de3829c33e1fba4d06bc97f

SHA512
f381d170eeea45b115ad6bc6d27b6f55bfbae00d7694cc8efd18aaa7d17f4d47f1f21de856315c38754ec1181d137923a6d74cd0a0c2d1ec538c80ea8ff9d20b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Client.exe

Filesize
65KB

MD5
7512d672a1aa2990358a8edb98b8756e

SHA1
0240bd7397bfd80fe13df3039122c0802a71c5cf

SHA256
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877

SHA512
2a6ad544c6e8b9bd6c0a87403c1f4c0cc4e1330f36e64c409701818948a8a71c62691b23dc6debd8fc9b5a0950e4479c5001c64152b712d330347d8bfcaf08b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Client.exe

Filesize
65KB

MD5
7512d672a1aa2990358a8edb98b8756e

SHA1
0240bd7397bfd80fe13df3039122c0802a71c5cf

SHA256
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877

SHA512
2a6ad544c6e8b9bd6c0a87403c1f4c0cc4e1330f36e64c409701818948a8a71c62691b23dc6debd8fc9b5a0950e4479c5001c64152b712d330347d8bfcaf08b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Client.exe

Filesize
65KB

MD5
7512d672a1aa2990358a8edb98b8756e

SHA1
0240bd7397bfd80fe13df3039122c0802a71c5cf

SHA256
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877

SHA512
2a6ad544c6e8b9bd6c0a87403c1f4c0cc4e1330f36e64c409701818948a8a71c62691b23dc6debd8fc9b5a0950e4479c5001c64152b712d330347d8bfcaf08b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
43KB

MD5
24ebec5d3a911754938ac9bea7921625

SHA1
a79b84b232baf16f79780bdcf3171171f637684b

SHA256
e08a417139236da437b7cced4acee4f30b4e06e1067c436aa54c99bd637d45e8

SHA512
8e263f5ffef3877a605a81738c680d3afb01cde7eca4798661c24c2a53dd690e6fc681fc367c671c1c60125c6a959ba184c18326ea5273cb089780032f83be68

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
43KB

MD5
24ebec5d3a911754938ac9bea7921625

SHA1
a79b84b232baf16f79780bdcf3171171f637684b

SHA256
e08a417139236da437b7cced4acee4f30b4e06e1067c436aa54c99bd637d45e8

SHA512
8e263f5ffef3877a605a81738c680d3afb01cde7eca4798661c24c2a53dd690e6fc681fc367c671c1c60125c6a959ba184c18326ea5273cb089780032f83be68

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
43KB

MD5
24ebec5d3a911754938ac9bea7921625

SHA1
a79b84b232baf16f79780bdcf3171171f637684b

SHA256
e08a417139236da437b7cced4acee4f30b4e06e1067c436aa54c99bd637d45e8

SHA512
8e263f5ffef3877a605a81738c680d3afb01cde7eca4798661c24c2a53dd690e6fc681fc367c671c1c60125c6a959ba184c18326ea5273cb089780032f83be68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xv33xhmy.2tt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
37KB

MD5
ab01301daa4c65810ffd2eb23b51c74c

SHA1
556963ab12f90cdc52f7654e00ef2b331ac418c6

SHA256
59b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c

SHA512
fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
37KB

MD5
ab01301daa4c65810ffd2eb23b51c74c

SHA1
556963ab12f90cdc52f7654e00ef2b331ac418c6

SHA256
59b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c

SHA512
fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
37KB

MD5
ab01301daa4c65810ffd2eb23b51c74c

SHA1
556963ab12f90cdc52f7654e00ef2b331ac418c6

SHA256
59b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c

SHA512
fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DD4.tmp.bat

Filesize
159B

MD5
118b79cf13d49c2e2346c7d17bcf6523

SHA1
14768441a2e3329704ca2d49598e6f232a55cff2

SHA256
ff34c19d3c78626da42f36b56007334dd66546acad2f42b09ce07303bf9ad131

SHA512
07d361e892923480855c6e2f0f896ff6384e079b83f4c0e65726c0397d721e514856aca2c0729bb67c2ee3b13009fa493dc5ad0557789ca36542f0dfe60fdbc6

Download Submit
C:\Users\Admin\AppData\Roaming\Defender.exe

Filesize
65KB

MD5
7512d672a1aa2990358a8edb98b8756e

SHA1
0240bd7397bfd80fe13df3039122c0802a71c5cf

SHA256
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877

SHA512
2a6ad544c6e8b9bd6c0a87403c1f4c0cc4e1330f36e64c409701818948a8a71c62691b23dc6debd8fc9b5a0950e4479c5001c64152b712d330347d8bfcaf08b4

Download Submit
C:\Users\Admin\AppData\Roaming\Defender.exe

Filesize
65KB

MD5
7512d672a1aa2990358a8edb98b8756e

SHA1
0240bd7397bfd80fe13df3039122c0802a71c5cf

SHA256
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877

SHA512
2a6ad544c6e8b9bd6c0a87403c1f4c0cc4e1330f36e64c409701818948a8a71c62691b23dc6debd8fc9b5a0950e4479c5001c64152b712d330347d8bfcaf08b4

Download Submit
C:\Users\Admin\AppData\Roaming\Defender.exe

Filesize
65KB

MD5
7512d672a1aa2990358a8edb98b8756e

SHA1
0240bd7397bfd80fe13df3039122c0802a71c5cf

SHA256
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877

SHA512
2a6ad544c6e8b9bd6c0a87403c1f4c0cc4e1330f36e64c409701818948a8a71c62691b23dc6debd8fc9b5a0950e4479c5001c64152b712d330347d8bfcaf08b4

Download Submit
C:\Users\Admin\AppData\Roaming\Defender.exe

Filesize
65KB

MD5
7512d672a1aa2990358a8edb98b8756e

SHA1
0240bd7397bfd80fe13df3039122c0802a71c5cf

SHA256
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877

SHA512
2a6ad544c6e8b9bd6c0a87403c1f4c0cc4e1330f36e64c409701818948a8a71c62691b23dc6debd8fc9b5a0950e4479c5001c64152b712d330347d8bfcaf08b4

Download Submit
C:\Windows\svh0stt.exe

Filesize
37KB

MD5
ab01301daa4c65810ffd2eb23b51c74c

SHA1
556963ab12f90cdc52f7654e00ef2b331ac418c6

SHA256
59b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c

SHA512
fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b

Download Submit
C:\Windows\svh0stt.exe

Filesize
37KB

MD5
ab01301daa4c65810ffd2eb23b51c74c

SHA1
556963ab12f90cdc52f7654e00ef2b331ac418c6

SHA256
59b3dc90ef07497ef1107f75e40c3961c19f0326e2283f8caa7059fcef5b1a8c

SHA512
fb22b7c830090be9a0150d789ca988e8beab0aac544cf57ce59e7d4ef66a9e548baa37df57ac529dc10c25ac308ac55fbe06abd43978668296d78df0f962ae1b

Download Submit
memory/352-221-0x000001E4DD060000-0x000001E4DD070000-memory.dmp

Filesize
64KB

Download
memory/352-220-0x000001E4DD060000-0x000001E4DD070000-memory.dmp

Filesize
64KB

Download
memory/352-223-0x000001E4DD060000-0x000001E4DD070000-memory.dmp

Filesize
64KB

Download
memory/780-172-0x000001E6F4BE0000-0x000001E6F4C02000-memory.dmp

Filesize
136KB

Download
memory/1416-133-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1416-161-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/1592-267-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/2480-162-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/2480-166-0x000000001AD00000-0x000000001AD10000-memory.dmp

Filesize
64KB

Download
memory/2480-246-0x000000001AD00000-0x000000001AD10000-memory.dmp

Filesize
64KB

Download
memory/3864-263-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/3916-222-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3916-247-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3916-249-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3916-250-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3916-251-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3916-252-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3916-253-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3916-254-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/4092-199-0x00000212DAE70000-0x00000212DAE80000-memory.dmp

Filesize
64KB

Download
memory/4092-196-0x00000212DAE70000-0x00000212DAE80000-memory.dmp

Filesize
64KB

Download
memory/4092-194-0x00000212DAE70000-0x00000212DAE80000-memory.dmp

Filesize
64KB

Download
memory/4456-248-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/4456-224-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/4900-165-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download