njrat | 3240bb4e565eac6e610055410caf961539c916bc33679f00abe0d3cc55e76809

Analysis

max time kernel
0s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30370507a2816a3b25424a98b0a257c3.exe
Size

180KB
MD5

30370507a2816a3b25424a98b0a257c3
SHA1

fb835ea3b66243bc388e6cd7f1d165ca086b5fa5
SHA256

3240bb4e565eac6e610055410caf961539c916bc33679f00abe0d3cc55e76809
SHA512

87001beabd5c678b90d96898258ed09c10fef2506b9bf83d2e20fd2cf26aeb8a9de8fd2666b75059d4c8c6e2953f527d54d13426328a392d4a766d2c98386c81
SSDEEP

1536:HYVEJZ96Fs69zS7Reyhi9W9ItegcjNUH9Xz5tiU+n8iiBa7aU3n2kd7GM/i26WhD:Hd2YSLmQirb+rL

Score

10^/10

njrat r77 hacked evasion rootkit trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

error404.linkpc.net:1177

Mutex

Svchost

Attributes

reg_key
Svchost
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 21 IoCs

Detects the payload of the r77 rootkit.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\System\r77-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\System\r77-x86.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll	r77_payload

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1276 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

BackgroundTransferHost.exe

pid process

2296 BackgroundTransferHost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3656 3116 WerFault.exe Payload.exe

pid	process
1276	netsh.exe

pid	process
2296	BackgroundTransferHost.exe

pid	pid_target	process	target process
3656	3116	WerFault.exe	Payload.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 4636 wrote to memory of 2296	4636	BackgroundTransferHost.exe
PID 4636 wrote to memory of 2296	4636	BackgroundTransferHost.exe
PID 4636 wrote to memory of 2296	4636	BackgroundTransferHost.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1252 attrib.exe
4840 attrib.exe
1476 attrib.exe
4948 attrib.exe
2688 attrib.exe
1608 attrib.exe
3700 attrib.exe
3084 attrib.exe

pid	process
1252	attrib.exe
4840	attrib.exe
1476	attrib.exe
4948	attrib.exe
2688	attrib.exe
1608	attrib.exe
3700	attrib.exe
3084	attrib.exe

C:\Users\Admin\AppData\Local\Temp\30370507a2816a3b25424a98b0a257c3.exe
"C:\Users\Admin\AppData\Local\Temp\30370507a2816a3b25424a98b0a257c3.exe"
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\tdERw.exe
  "C:\Users\Admin\AppData\Local\Temp\tdERw.exe"
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\ProgramData\Payload.exe"
    3⤵
    - Views/modifies file attributes
    PID:4840
- - C:\ProgramData\Payload.exe
    "C:\ProgramData\Payload.exe"
    3⤵
    PID:3116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Svchost.exe"
      4⤵
      Views/modifies file attributes
      PID:1476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.exe"
      4⤵
      Views/modifies file attributes
      PID:4948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 2208
      4⤵
      PID:4520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 2248
      4⤵
      Program crash
      PID:3656
- C:\Users\Admin\AppData\Local\Temp\tdERwr.exe
  "C:\Users\Admin\AppData\Local\Temp\tdERwr.exe"
  2⤵
  PID:3148
- - C:\System\$77-System.exe
    "C:\System\$77-System.exe"
    3⤵
    PID:3948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System'
      4⤵
      PID:3900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System'
        5⤵
        
        PID:2452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe'
      4⤵
      PID:2900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x64.dll'
      4⤵
      PID:4872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x86.dll'
      4⤵
      PID:4276
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c attrib +h +r +s "\System"
      4⤵
      PID:2456
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +r +s "\System"
        5⤵
        Views/modifies file attributes
        
        PID:2688
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c attrib +h +r +s "\System\$77-System.exe"
      4⤵
      PID:3472
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe"
      4⤵
      PID:400
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3700
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c attrib +h +r +s "\System\r77-x64.dll"
      4⤵
      PID:2300
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c attrib +h +r +s "\System\r77-x86.dll"
      4⤵
      PID:3908
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh firewall delete allowedprogram "C:\System\$77-System.exe"
      4⤵
      Modifies Windows Firewall
      PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe'
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3116 -ip 3116
1⤵
PID:1920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x64.dll'
1⤵
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x86.dll'
1⤵
PID:264

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\attrib.exe
attrib +h +r +s "\System\$77-System.exe"
1⤵
- Views/modifies file attributes
PID:1608

C:\Windows\system32\attrib.exe
attrib +h +r +s "\System\r77-x64.dll"
1⤵
- Views/modifies file attributes
PID:3084

C:\Windows\system32\attrib.exe
attrib +h +r +s "\System\r77-x86.dll"
1⤵
- Views/modifies file attributes
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\System\r77-x64.dll

Filesize
70KB

MD5
18cbd9bdb962f1db8aa8a85073676795

SHA1
e73379c3020468cc0b10ecaa6212b130c9942208

SHA256
57ed781acbf1cd7e51001072b85fdf9fa0a383dc66fb20ca627f5cdd27a6bcf8

SHA512
67eda54870a6127976a58040d7c16ed4e0e4b775ef2476a5e6785bf7bf26ad996b3503901480e4416f3576feb4c7ecb20a41bde92e2e0f31a4feaa0d715343f0

Download Submit
C:\System\r77-x86.dll

Filesize
32KB

MD5
e8801559e14e871839cb6f846594fa20

SHA1
940efd94aa8069a63db539f33bd1b33fdc083427

SHA256
aead4d76cabdc7349595f228aec78ed9a023353521c8283c77936e312a1dde69

SHA512
368c8d9daa56017e8ce38c9a802300cbdbda9b8a964684ee525fa5a60cfec40c1732591f3e61753e4ce5bee3f160c84a99f320c7e0ab0340212060fd7ad8a4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
51KB

MD5
c763b90bd69d766d98b0ae3595a15c4d

SHA1
84f35ca487210e8eeea983efb6230a5f916d8978

SHA256
1e0c09e704578163832e6ede6e28bf5e5094a3e22c1ada972eaf6b18eb64e895

SHA512
3b76cd03db26c85d0266b3c590d0b95e08bd5c2bd36e660f165600c620e94b932a2034afee82a18299ee53c482383a3b95304ec47b0e2f2c5271d500d970874a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
17KB

MD5
7e1323724bf3c29235f186adc5c38090

SHA1
d9095af2cc11125c14095f95b8eb7af2412885b5

SHA256
b8e87ac78b389bca1512aac0cb3e3a12ac9b96ef22b3cf1c84959bdf146e2044

SHA512
8039adda1cfcdcbd2dcce90d400e42dae12b093304d8c3cf9e3ab16ec09873d72b8321ed6d0554cba52386abf5bb58df06712586288c9ae70bd29c60627b6472

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
57KB

MD5
2e9cbe360f8d45cb328b440a01e1ad76

SHA1
8916122f0229c75b64d06aba23268e00cedad38c

SHA256
3c9608ba1d118da9bb2c48b3000b1bd840876afc91feaa5bde36ca9e40325b87

SHA512
ee3ad66feb4fc199222e19f6822d9e544eedf57c83d7563411eba0721743dc1dd4e235577e0a519728111125f01df0bcf381e830c7f9f7640b3efa85a2dfe009

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
26KB

MD5
4c72ee489093862b82274fc73d7f8597

SHA1
e37e26aeddbde99851adf5749abe9c81ba192405

SHA256
7387b045451ddf5ddf9f66ce837353b398c8ce3406f70508ab17c95be79386e8

SHA512
da3e994f03f0807725c7574adeef070f806333c1d1b7b210d1675854077177c360e40845e4717112a4c8159d0bbee6cdc8d5f5925add313bbbd8a31705eb8b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
4KB

MD5
7fd96dbb54beb199f96f985a17952747

SHA1
9f789a04dfafc46df2fce948e5a26785c48a5800

SHA256
e2f2f5bfcb820fd559404dc7c68dfaa809094f219ab4cb6fc1c315ea3b8cf2b4

SHA512
4ecc10ace715bf032b57059fcce0903dd0b7ce83c1576955858c7c9451ceaaf811d980f1157bbb2fa5efbcac36ea13cfbfbe047b1f0787334e30e0a2d815c3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
17KB

MD5
d463bff3ee1f933fe0959d07fcff5dae

SHA1
930c02100fe5fe1c79ab62eb8e87ea1ba83d93d4

SHA256
c04adea681ea96dd5a11bf3a99c20b7499ef4e4f54ffa50c2a735ab0a6074d83

SHA512
1d83747a5c055522ea9efc863a8f979c26d6acf07ded2a8541be600126c76a5a5324c73b4a9b5896208ce455d61c88540c691a2e0a6eb7212d24ad631bc168b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
44KB

MD5
239a8894737bb67e69cd1bb2ecd18b06

SHA1
06d5b2d004e11bee42ccbc5514ee886c4cb8f277

SHA256
75c7eb5880ba2fea1bae20107e9899e4924cb9a9fe5a65f7b8cde60bc827ab17

SHA512
123439e7e3690cdd80618c6a8fc34b2c8e12f63e6d6de61bbc1166493a6fc2563dca53ae87f609a3f3f08a556c758d5d4cabaffa9cd7271bc0d3094c600ecaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
26KB

MD5
ae7038c26299647bdfd12dd290936c64

SHA1
b5ec6d6ef3d42761730cd05db6aefd149611d143

SHA256
0643cfbf7a1ecc9f3edfebca66ae3ad436e4c958ba047fe55b354ca8415519de

SHA512
fc296f98bb17d98d0bfbb00a6282657bc774fc228331f2e4c16ffd2c69309d41d4d342d5fe900819526eaa4d90577fc1c6fe0688ac5128e46a875147c919c892

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
100KB

MD5
e3654662f8962e9fc1b43610c4a1abe8

SHA1
178d8fb79c9fc1ba4af536eb836564635c860ff1

SHA256
51407c19e460622604051c483c1354b030cb91741a9ebf2c58984688c2f9cac9

SHA512
97da0ea5cc6d9143bc881c83544a65146af26abdb2431b6abe4acdf4a518a4d4881aff4c4690a561da2b6082de2db0d997a75bd847cfe964cabee7ef80ca318e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
41KB

MD5
624120a9a8973532f0771dcadd66e42a

SHA1
b4aa02d4706d04199317a6a2e75859dd6abb4dfe

SHA256
2dff36d0dc33bbd0446c75a11a6942b56a60d3bdffbd58db59c1f8ec77d35044

SHA512
2346d4a98db53b71f378f1b2f22303584a88c96d1823cd3cb5247ce2034e0686986ebc331358c210d5cfc12eae7425a07e7e2882a7b309381da386fef36b9b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
44KB

MD5
56e6788222bf987d4a7e49ab82bfbdd1

SHA1
ed7bbdbc98f765a06548fc06ccf4db132022747c

SHA256
0f4024847e4dcb3b6d950877cd8e81fc6c3d2cd3a8aaf9892c6702f0ded289ca

SHA512
2db19ebe09d2af835a731cee1085e85c8a5a3b1b24474d29a7006188470fda3b3cccddbf26924d94ae176085693c3a54a93fc3368e5394acd94095b3fa06c34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
5KB

MD5
9a99682de71771ab09ae350863644ed5

SHA1
90c1d2efe12c8bb90e6acdc1d831338a498f73ce

SHA256
27196519f228a7e817f81e81b2ee413bf71a01d4fd51415d39fc7947390caf0f

SHA512
5ff5df8268e0e2131bf31569272c67be63490177575286659c1a918378485064aa058349a47f8aec87a1ed335b80ce261509e66384b1a8daa19434706c82cb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
62KB

MD5
24a17177d7cbe0f0253576f89629fba5

SHA1
32a6a7b1bb9af6c3978c3c06cfda835347225bce

SHA256
506f11fe7f31e225aff9bd80e6def31084d820b95179f289c7e078665b15257c

SHA512
47e95b2bade424e996cb5f2ed37c4364b28acd2a7eaff53414565fca1b94601f986136f26d282b8196680a071b4e0416203e7c60c759151d585c74a85eaa7113

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
1KB

MD5
f876111a3b07056f09c58fc27b13bd6f

SHA1
848963ea464467e43f78221c221855159bfcb1e0

SHA256
15647e5e9b4bfaf3463e82ff861dd4b9151c0b7ecc6c250d2bd3d685e1ea4eb6

SHA512
0f687ad222d7696ea3fa7be571016789add478a14a70a0c76b11ca4d633b26cd05b65f6765fdbf5787326a46fc73167a543e15b76ad6d4586cf520af2b56afd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
69KB

MD5
5b57e6f46cf518d8f67f3837c5efef2f

SHA1
7c53b67c9c22f4361b3db65c85177624a93a764f

SHA256
da45eae817dbde2f1da27cdad23e87d5ccf4b67bff0cade1cd4efc094743e8f0

SHA512
af7133e89c3636b9c33db635e199697591a685acc6d079bcd2d41cafddb8dee89a5ebf0dc0f4d1d57ca3fd16eba2745fc44b09689a88f6a115d54f600e7211ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
10KB

MD5
5f5f22637e5baa3649eac3bfd931a2f6

SHA1
ec6153c704aef18036ed6a672156db8eb6c93cb2

SHA256
4a011419d6276f6f159eff8ff24b3fa437b24514c3fb9bb63537434edfa5ac94

SHA512
c335286826316eb95fcbadeae255c3a35cfca6a18ec14b2e0e6744709d5a6904816a2b3c31c0c87f356bfe4a0926346d6bdf772c1e815a03cb894a2fff2e2dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
55KB

MD5
04ab635b008166ce25c910bca2dc4b7d

SHA1
4bc2cbcb3e5a5f14705aed0e53e5593adbf60d63

SHA256
5297762a951b02f185f4d1b70a7d00ae445a18796e50b49c4c0ab03ae90d9a18

SHA512
ee47f8e28a6d708815306d75846d442078e6fb9b75f1170d620ed5d8d54feca2b675a4a7fc284c871a25eceda4048fb646084bd40993dc295149079420f62cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

Filesize
81KB

MD5
6c9cea3403b496de0ba732c1d6bb8c59

SHA1
79dce15f6811ab38c20031ae281ef45ecdd160f3

SHA256
d26e9b43092550b6a191d29a3cd0123eb5e09d689cba185b9333d5a44a94b8bb

SHA512
fa259dc03d467371934bd2f747bd085e284d04f50c25da04362100a3c619e36acd6b31d3713e76cb5cb256c20f73216000c9b8a5c6f3713ebf1a4550898aa210

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-b119a32bd02d4cb2ab9c43fa9c20a4d2-x64.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ard30lkc.rnj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdERw.exe

Filesize
27KB

MD5
e1835846b8fbf14aa38eecc24b4ebc52

SHA1
83a10357ee2ed7e18f68544d748777add0d0b266

SHA256
9e512b7a9feae0b292a5bc181cc6f3d670444314e4ea9566658316fde96ea32a

SHA512
fe9a8bfa7a5e8aa426dd4f82bfd53d076c21936818b5362b5344a870bc93159f29efbbd5c57118f9998b918cb3cdfde552dd65ff3f580958cc37462122a4b480

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdERw.exe

Filesize
13KB

MD5
09d79ae1ac561f83f1c4627bec111da7

SHA1
5314696807f4f5d86a72fe784afe602c09ce39bf

SHA256
eaf14e6342164bd0c8294b5b4da01574fe89791cede7565cff480ccf35e3f4aa

SHA512
26fc57506db86a3881207bb305f6a3abb734f1436407e35c4db0d830383333751830942d3be79eb6bb5d247fc93446f5f47436ab91eedfa2907b764d9a18a028

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdERwr.exe

Filesize
36KB

MD5
f25897326beee04afba384bc50e0c35b

SHA1
5085a4d48444be7f4a7ec1dd4f4810d3ce5869cb

SHA256
95c3212ceba92fcd3603232f23b6748bd24bc2575ee1047170ac0d1ca44fcd13

SHA512
85def6bc6209971cf42efac5f62112a086e9f85b15a49142d335eb6093ded27962a952bf03801ee09a210bad45d7a008202031b135ff02770ee715708a7d56e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.exe

Filesize
25KB

MD5
5c9d3961c0b4565e751bdf3b17d55335

SHA1
2fa09e5b0c3cec548d28c11e9d5a48fe6f0e767f

SHA256
c51aaffb0d1ac40a410f6b547111e6c8423bc2fbff113f2386516582a23ae052

SHA512
9d65465d800efbc5c4d5d6c892e36a8c3ee13d8df1b74afb2c7a4dd346fa823f69aaa85f59c5256b61790a5455a23bfdf6f7bfee652adea2516b7ee805da8ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnk

Filesize
1KB

MD5
20f9d460beae489c690a28fbb03dbd62

SHA1
2a0e56ac76b82481ebf0fca5666db1d97a572a2d

SHA256
f586aab2040d1ebca0c76fb10d3dd812c05e8d3985c15dc63d9d76cd87400336

SHA512
be89fa866659b342cd93e9fce50fcdf1cfd9e8513881e557eb2f846bf930377b62117e9d80f020cd91f0e3b846473f190d58b96336c1dd1243e9485d7067e974

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Svchost.lnk

Filesize
1KB

MD5
0432ca64f1066cc06e80767b4d79cef9

SHA1
5267a57cf3a238e4ad6d2999dd9642c06240f03e

SHA256
fb3e42449490b733c04a931a6c4b293bdcdbd5e482bef5f7a51345612f78bbff

SHA512
1b3a4bbae783d71006fe38179461926e4de4d77ba6d5d6f5404024d934ccce42bf8b7e79acf7a9a8a854968493233eda32556543fe753c0f0016eaa0e47f56b2

Download Submit
memory/264-178-0x0000019FD04A0000-0x0000019FD04B0000-memory.dmp

Filesize
64KB

Download
memory/264-177-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/264-179-0x0000019FD04A0000-0x0000019FD04B0000-memory.dmp

Filesize
64KB

Download
memory/264-181-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/264-182-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/264-165-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/264-176-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/1276-193-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/1276-192-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/1276-194-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/2064-161-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/2064-152-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/2064-158-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2064-159-0x0000025378420000-0x0000025378430000-memory.dmp

Filesize
64KB

Download
memory/2064-162-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2064-146-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/2296-54-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2296-27-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2296-26-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2296-25-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/2452-89-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/2452-106-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2452-91-0x0000027727B80000-0x0000027727B90000-memory.dmp

Filesize
64KB

Download
memory/2452-98-0x000002770F630000-0x000002770F652000-memory.dmp

Filesize
136KB

Download
memory/2452-102-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/2452-103-0x0000027727B80000-0x0000027727B90000-memory.dmp

Filesize
64KB

Download
memory/2452-90-0x00007FF807F60000-0x00007FF807F61000-memory.dmp

Filesize
4KB

Download
memory/2452-88-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/2452-107-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/3116-53-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/3116-143-0x00000000745D0000-0x0000000074B81000-memory.dmp

Filesize
5.7MB

Download
memory/3148-24-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/3148-23-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/3148-42-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/3948-140-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/3948-43-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-133-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-126-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/4156-116-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/4156-128-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-129-0x000002779B6B0000-0x000002779B6C0000-memory.dmp

Filesize
64KB

Download
memory/4156-132-0x00007FF807F70000-0x00007FF808165000-memory.dmp

Filesize
2.0MB

Download
memory/4156-130-0x000002779B6B0000-0x000002779B6C0000-memory.dmp

Filesize
64KB

Download
memory/4636-0-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/4636-22-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-3-0x00007FFFE9630000-0x00007FFFEA0F1000-memory.dmp

Filesize
10.8MB

Download