njrat | ffe78ab905d69421ab325f5f6fa0e1448a01245538d1f275abaa645e44fb0cb5

Analysis

max time kernel
151s
max time network
164s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

я хз.exe
Size

60.0MB
MD5

5d6cfc446688ff35118f60f1c0c6d9ec
SHA1

c38cc9315d6212dbf9a2b0121bedf8e19e4489c9
SHA256

ffe78ab905d69421ab325f5f6fa0e1448a01245538d1f275abaa645e44fb0cb5
SHA512

2d48eb58d9d145171efe3e98782bf1a8fbd28b2b7fb3b038172a8b36016bf318a9fb0f8e2729f3023a99ad2e3a05225030e18614792818046705531dcbcad199
SSDEEP

49152:qn5mOaNuKQGr02wVAFJApbVY6e7D5jD9KVSxU03l8U+cweXeFrA1n:q5mlkK1Dqne7D5jD9KVSxU8g9A

Score

10^/10

njrat umbral xworm hacked evasion persistence rat stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1218609538920353852/S1ojkdaVMzB73hU0FP8eYpB-410O6wodDINDM_pIeYL7IbxP-7KaqYh-SCI37JJ02Eb_

https://discord.com/api/webhooks/1218255752314097764/pf1l_fyX4Y944q-tMNsmbSq2cfDBpqCBXuTvF0vyF76tkTcn3FOYasjrq_iM6NffJOYF

Extracted

Family

xworm

approved-supports.gl.at.ply.gg:45098

Attributes

Install_directory
%AppData%
install_file
rat.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

6.tcp.eu.ngrok.io:11599

Mutex

56b4ba924dd7632c1dcce848fbc8f14a

Attributes

reg_key
56b4ba924dd7632c1dcce848fbc8f14a
splitter
|'|'|

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225e-6.dat	family_umbral
behavioral1/memory/2920-9-0x0000000000EC0000-0x0000000000F00000-memory.dmp	family_umbral
behavioral1/files/0x000900000001227d-13.dat	family_umbral
behavioral1/memory/2856-19-0x00000000009F0000-0x0000000000A30000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cd2-30.dat	family_xworm
behavioral1/memory/2540-32-0x0000000000B60000-0x0000000000B78000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Etc.exe
File created	C:\Windows\system32\drivers\etc\hosts	rykmnxwyylqw.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2812	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rat.lnk	pautoenr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\56b4ba924dd7632c1dcce848fbc8f14a.exe	Njrat.0.7D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\56b4ba924dd7632c1dcce848fbc8f14a.exe	Njrat.0.7D.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rat.lnk	pautoenr.exe

Executes dropped EXE 9 IoCs

pid	Process
2920	Saransk.exe
2856	PeerDistAD.exe
2508	Etc.exe
2540	pautoenr.exe
2876	Njrat.0.7D.exe
468	Process not Found
1620	rykmnxwyylqw.exe
2368	rat.exe
2672	rat.exe

Loads dropped DLL 3 IoCs

pid	Process
2236	я хз.exe
2236	я хз.exe
468	Process not Found

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\56b4ba924dd7632c1dcce848fbc8f14a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Njrat.0.7D.exe\" .."	Njrat.0.7D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\56b4ba924dd7632c1dcce848fbc8f14a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Njrat.0.7D.exe\" .."	Njrat.0.7D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\rat = "C:\\Users\\Admin\\AppData\\Roaming\\rat.exe"	pautoenr.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Njrat.0.7D.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	6.tcp.eu.ngrok.io
12	6.tcp.eu.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Njrat.0.7D.exe
File opened for modification	C:\autorun.inf	Njrat.0.7D.exe
File created	D:\autorun.inf	Njrat.0.7D.exe
File created	F:\autorun.inf	Njrat.0.7D.exe
File opened for modification	F:\autorun.inf	Njrat.0.7D.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Etc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	rykmnxwyylqw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 2744	1620	rykmnxwyylqw.exe	99

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1512	sc.exe
2428	sc.exe
1372	sc.exe
1884	sc.exe
1816	sc.exe
2060	sc.exe
2216	sc.exe
1732	sc.exe
3020	sc.exe
2752	sc.exe
1356	sc.exe
2316	sc.exe
2760	sc.exe
2624	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1224	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40f51d82e077da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	Etc.exe
544	powershell.exe
1960	powershell.exe
2508	Etc.exe
2508	Etc.exe
2508	Etc.exe
884	powershell.exe
2508	Etc.exe
2508	Etc.exe
2508	Etc.exe
2508	Etc.exe
2508	Etc.exe
2508	Etc.exe
2508	Etc.exe
2508	Etc.exe
2508	Etc.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2508	Etc.exe
2508	Etc.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
1620	rykmnxwyylqw.exe
2872	powershell.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
1656	powershell.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe
2876	Njrat.0.7D.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	Njrat.0.7D.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	pautoenr.exe
Token: SeDebugPrivilege	2856	PeerDistAD.exe
Token: SeDebugPrivilege	2920	Saransk.exe
Token: SeIncreaseQuotaPrivilege	3008	wmic.exe
Token: SeSecurityPrivilege	3008	wmic.exe
Token: SeTakeOwnershipPrivilege	3008	wmic.exe
Token: SeLoadDriverPrivilege	3008	wmic.exe
Token: SeSystemProfilePrivilege	3008	wmic.exe
Token: SeSystemtimePrivilege	3008	wmic.exe
Token: SeProfSingleProcessPrivilege	3008	wmic.exe
Token: SeIncBasePriorityPrivilege	3008	wmic.exe
Token: SeCreatePagefilePrivilege	3008	wmic.exe
Token: SeBackupPrivilege	3008	wmic.exe
Token: SeRestorePrivilege	3008	wmic.exe
Token: SeShutdownPrivilege	3008	wmic.exe
Token: SeDebugPrivilege	3008	wmic.exe
Token: SeSystemEnvironmentPrivilege	3008	wmic.exe
Token: SeRemoteShutdownPrivilege	3008	wmic.exe
Token: SeUndockPrivilege	3008	wmic.exe
Token: SeManageVolumePrivilege	3008	wmic.exe
Token: 33	3008	wmic.exe
Token: 34	3008	wmic.exe
Token: 35	3008	wmic.exe
Token: SeIncreaseQuotaPrivilege	3008	wmic.exe
Token: SeSecurityPrivilege	3008	wmic.exe
Token: SeTakeOwnershipPrivilege	3008	wmic.exe
Token: SeLoadDriverPrivilege	3008	wmic.exe
Token: SeSystemProfilePrivilege	3008	wmic.exe
Token: SeSystemtimePrivilege	3008	wmic.exe
Token: SeProfSingleProcessPrivilege	3008	wmic.exe
Token: SeIncBasePriorityPrivilege	3008	wmic.exe
Token: SeCreatePagefilePrivilege	3008	wmic.exe
Token: SeBackupPrivilege	3008	wmic.exe
Token: SeRestorePrivilege	3008	wmic.exe
Token: SeShutdownPrivilege	3008	wmic.exe
Token: SeDebugPrivilege	3008	wmic.exe
Token: SeSystemEnvironmentPrivilege	3008	wmic.exe
Token: SeRemoteShutdownPrivilege	3008	wmic.exe
Token: SeUndockPrivilege	3008	wmic.exe
Token: SeManageVolumePrivilege	3008	wmic.exe
Token: 33	3008	wmic.exe
Token: 34	3008	wmic.exe
Token: 35	3008	wmic.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2508	Etc.exe
Token: SeShutdownPrivilege	948	powercfg.exe
Token: SeShutdownPrivilege	1088	powercfg.exe
Token: SeShutdownPrivilege	1116	powercfg.exe
Token: SeShutdownPrivilege	2108	powercfg.exe
Token: SeDebugPrivilege	2876	Njrat.0.7D.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: 33	2876	Njrat.0.7D.exe
Token: SeIncBasePriorityPrivilege	2876	Njrat.0.7D.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1620	rykmnxwyylqw.exe
Token: SeShutdownPrivilege	1524	powercfg.exe
Token: SeShutdownPrivilege	1420	powercfg.exe
Token: SeShutdownPrivilege	2732	powercfg.exe
Token: SeShutdownPrivilege	2708	powercfg.exe
Token: SeDebugPrivilege	2540	pautoenr.exe
Token: 33	2876	Njrat.0.7D.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2540	pautoenr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2920	2236	я хз.exe	28
PID 2236 wrote to memory of 2920	2236	я хз.exe	28
PID 2236 wrote to memory of 2920	2236	я хз.exe	28
PID 2236 wrote to memory of 2856	2236	я хз.exe	29
PID 2236 wrote to memory of 2856	2236	я хз.exe	29
PID 2236 wrote to memory of 2856	2236	я хз.exe	29
PID 2236 wrote to memory of 2508	2236	я хз.exe	30
PID 2236 wrote to memory of 2508	2236	я хз.exe	30
PID 2236 wrote to memory of 2508	2236	я хз.exe	30
PID 2236 wrote to memory of 2540	2236	я хз.exe	31
PID 2236 wrote to memory of 2540	2236	я хз.exe	31
PID 2236 wrote to memory of 2540	2236	я хз.exe	31
PID 2236 wrote to memory of 2876	2236	я хз.exe	32
PID 2236 wrote to memory of 2876	2236	я хз.exe	32
PID 2236 wrote to memory of 2876	2236	я хз.exe	32
PID 2236 wrote to memory of 2876	2236	я хз.exe	32
PID 2920 wrote to memory of 3008	2920	Saransk.exe	33
PID 2920 wrote to memory of 3008	2920	Saransk.exe	33
PID 2920 wrote to memory of 3008	2920	Saransk.exe	33
PID 2540 wrote to memory of 1960	2540	pautoenr.exe	38
PID 2540 wrote to memory of 1960	2540	pautoenr.exe	38
PID 2540 wrote to memory of 1960	2540	pautoenr.exe	38
PID 2540 wrote to memory of 884	2540	pautoenr.exe	40
PID 2540 wrote to memory of 884	2540	pautoenr.exe	40
PID 2540 wrote to memory of 884	2540	pautoenr.exe	40
PID 1508 wrote to memory of 2844	1508	cmd.exe	47
PID 1508 wrote to memory of 2844	1508	cmd.exe	47
PID 1508 wrote to memory of 2844	1508	cmd.exe	47
PID 2876 wrote to memory of 2812	2876	Njrat.0.7D.exe	46
PID 2876 wrote to memory of 2812	2876	Njrat.0.7D.exe	46
PID 2876 wrote to memory of 2812	2876	Njrat.0.7D.exe	46
PID 2876 wrote to memory of 2812	2876	Njrat.0.7D.exe	46
PID 2540 wrote to memory of 2872	2540	pautoenr.exe	69
PID 2540 wrote to memory of 2872	2540	pautoenr.exe	69
PID 2540 wrote to memory of 2872	2540	pautoenr.exe	69
PID 2540 wrote to memory of 2616	2540	pautoenr.exe	78
PID 2540 wrote to memory of 2616	2540	pautoenr.exe	78
PID 2540 wrote to memory of 2616	2540	pautoenr.exe	78
PID 1992 wrote to memory of 612	1992	cmd.exe	85
PID 1992 wrote to memory of 612	1992	cmd.exe	85
PID 1992 wrote to memory of 612	1992	cmd.exe	85
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 1620 wrote to memory of 2744	1620	rykmnxwyylqw.exe	99
PID 2540 wrote to memory of 1224	2540	pautoenr.exe	104
PID 2540 wrote to memory of 1224	2540	pautoenr.exe	104
PID 2540 wrote to memory of 1224	2540	pautoenr.exe	104
PID 2788 wrote to memory of 2368	2788	taskeng.exe	107
PID 2788 wrote to memory of 2368	2788	taskeng.exe	107
PID 2788 wrote to memory of 2368	2788	taskeng.exe	107
PID 2856 wrote to memory of 1492	2856	PeerDistAD.exe	109
PID 2856 wrote to memory of 1492	2856	PeerDistAD.exe	109
PID 2856 wrote to memory of 1492	2856	PeerDistAD.exe	109
PID 2876 wrote to memory of 2336	2876	Njrat.0.7D.exe	111
PID 2876 wrote to memory of 2336	2876	Njrat.0.7D.exe	111
PID 2876 wrote to memory of 2336	2876	Njrat.0.7D.exe	111
PID 2876 wrote to memory of 2336	2876	Njrat.0.7D.exe	111
PID 2876 wrote to memory of 2428	2876	Njrat.0.7D.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\я хз.exe
"C:\Users\Admin\AppData\Local\Temp\я хз.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\Saransk.exe
  "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe
  "C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1492
- C:\Users\Admin\AppData\Local\Temp\Etc.exe
  "C:\Users\Admin\AppData\Local\Temp\Etc.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2844
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1372
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2316
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1732
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1884
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1816
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CBABZYWT"
    3⤵
    - Launches sc.exe
    PID:2060
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CBABZYWT" binpath= "C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3020
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1512
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CBABZYWT"
    3⤵
    - Launches sc.exe
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\pautoenr.exe
  "C:\Users\Admin\AppData\Local\Temp\pautoenr.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pautoenr.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pautoenr.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\rat.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rat.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rat" /tr "C:\Users\Admin\AppData\Roaming\rat.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1224
- C:\Users\Admin\AppData\Local\Temp\Njrat.0.7D.exe
  "C:\Users\Admin\AppData\Local\Temp\Njrat.0.7D.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Njrat.0.7D.exe" "Njrat.0.7D.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2812
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -l -t 00
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -l -t 00
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -l -t 00
    3⤵
    PID:576
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -l -t 00
    3⤵
    PID:320

C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe
C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:612
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2624
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2760
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1356
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2744

C:\Windows\system32\taskeng.exe
taskeng.exe {3B0E1AF8-2197-4D52-AD14-F9C20F120962} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Roaming\rat.exe
  C:\Users\Admin\AppData\Roaming\rat.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Users\Admin\AppData\Roaming\rat.exe
  C:\Users\Admin\AppData\Roaming\rat.exe
  2⤵
  - Executes dropped EXE
  PID:2672

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe

Filesize
2.6MB

MD5
7c14d590880406022bc0d8bdd3e2aa2c

SHA1
ffe66d0792a93e977f6366903cb349ac4cc6021c

SHA256
dbff26f5d4d1c5c35a636639161924c8bf6f8750be150fd1670092bd581a42ac

SHA512
c355ae4800a018a5651eb9222db16e7067cd2ec5a09fb619485441f4dd654dbb8d34051afb42622e086be0ad2a3aba46d8f9795a4c56f3e06b8bcd45fc1baf67

Download Submit
C:\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe

Filesize
267KB

MD5
0596e2e892362aa662ac1f7938f22a20

SHA1
9d14d075d8000825c2309fc8826bf042200dec25

SHA256
f86a82680c7215a6449672e5c29283ee4fb3ac1056e20a65194f5331e0c35783

SHA512
03cc4c81531f6b44dd584ee35af7363cd9ce9ef8e86b7f4384a4569b35a047a584f18bbaf3db395edade4b5189b40dcaea02a5501ac1ffbe551e614fae1158e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Etc.exe

Filesize
320KB

MD5
88f903cb01667771c7a1c775387371a9

SHA1
a65d1dc1787b912ec66b2736571aa03d555a0dfd

SHA256
1d6bf65d81696c99cc6414b6e16f1b7b3ac21cdb0ecb8fdd4e57697cf2a28f51

SHA512
62eedf0aba2152c4d38cca7cfdd9f24932d37cc55f3bbe97c725915a5a0fd0d63bbfb157bb009378411264dd2c3c357c1648021f316cb9702e6d17b8254308c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Etc.exe

Filesize
260KB

MD5
6a59131fa21844d02e52e25abb43bb50

SHA1
66fe639c34a0812136f275b3c59177a993a5f976

SHA256
0a36756bb90ebdf9b589e934aec29de7cdcfbc5b7ca1c0cb2cfc2c608325bcae

SHA512
f493c838806864d91966c80cdcad615c8a1ed6692df26371abba362a0a6bd3a6cbc6862d5d39221b878c8ca8a27c3836d9e534a30eba3cd73752fa484948219d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Etc.exe

Filesize
1.8MB

MD5
0f2accc7910175913ba8578637da0939

SHA1
156953c916456c5bfefa52da04be6c26a076ed5d

SHA256
166243bccb3a7425362683e625538fe0be68dec225a6389eac2f8c624fb95038

SHA512
54d32f740d506d049296a3878c347c0db802fe915cead65c9279a8cf5bcc1c671fcdc3968f6d588b132c2cf3241a2ee546419c0061fd59f0a5e5d78eb3d286bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Njrat.0.7D.exe

Filesize
79KB

MD5
41f3e2245bf0cfecb81fa3742765e924

SHA1
080addf3f44cf3fd73225a83d50038b53c34b476

SHA256
dcc9822b30f238d5e5428cb0ddf31095790f411eaf5cd41e6b7c05e8b366f9ca

SHA512
89fcb991be7ad5628799a3cafd46bf993d6b52ca13b9dfa23597466fa855c53b018f0a7bd3e3fe46e9129b128591477577b338ef772c02dcd2e57fdde2d378c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeerDistAD.exe

Filesize
229KB

MD5
afa8bb7e6708d4b5c056079f642b65f9

SHA1
3cadcd7a2da0bc26fd7912f46bdc692e51752913

SHA256
9041042642f5c0b67443490fc595aaaa1858c3a8582602969f1af568cad398e9

SHA512
46392d04c3827a9f1602685bae2b10a69306839ce3af5b51889a70925e48654e0b8793ae4f68a4ce94f7c7dc71d0d69f0437583417b32cef9619024294351ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Saransk.exe

Filesize
231KB

MD5
37faaeec369bffbc6fdcdb1f26d82a30

SHA1
467a67ff26cc99f9377c8b0bfb58e68af817ef10

SHA256
5c81746a7b7baf2d7ba7350a8bf40ad19c57ca1fd3ae8296d8a51e5de69d5c61

SHA512
59ffa575b9ba69a79b6063b63a9d70786b655f8a5c9509ecbaecc58a276f06e7cb647fe5696c1d260a3028ac3e2eafeadf9d19aa4863bbd107cad2159fe952a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pautoenr.exe

Filesize
71KB

MD5
5adb580a8a93b829aefd180ab1773e19

SHA1
66f11192207b97a0e1d7df0d3a7080a555801d9a

SHA256
bf52359d6a85fd4df2d11603dfa1ccd90e432cdd19c64928791246cdb46ec03c

SHA512
1afabcc8b2963bd44eb9523e3d6f0957ed477a25292d1bcd4cd1188a62381fedf4d2d0d68b06b2f73b84d0b493ace4f9ee7f52b30ea264577e0e4c07f3927a04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a33c299e672965c68a157addb8a7ff35

SHA1
d059097a02f57267dc935594d5ddecab70527dd2

SHA256
2566d7817031092b90f2182fd30f435ca7fdaa965f8e6871370f4418e27cf84a

SHA512
beafcdf3a39459481d81792a813fd4f507423f49d4491a013ee95f7ed6fc0e46561f94f67231c5217f1568e42abddec9088288139bc3504cc092c6c1a0a9a335

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dd971016e04b593856896c0b7844de0b

SHA1
52f066ab65083f51949c9ce8e282a385d0a6de26

SHA256
b0676a46f6e271497ee4ded86082ebfe45a3bdbffb8102050d37a9fff2940bdd

SHA512
e261cf1c535a5f4927e5ab7eef73ec5ca2d7a76ff46eeb72dfaf006fce4aedca0acc460664001a0bb27a4bde582551445377a78864e7f660ef304aaaf50b75f7

Download Submit
C:\Users\Admin\Desktop\AssertGroup.inf

Filesize
693KB

MD5
a30d86217a3d5461a710e2f64116819e

SHA1
8bbfa3a48b3ecbdee7ba689e82954a31ce51dde7

SHA256
7529ede80c5164efdb8159b3474f4fa0523f0d85dc7b7cd6f764e3cd663a4684

SHA512
78d17ea2a0d98ba49188985e4a525aa016d8d0e34187c5701ee8af470335514cddf5c91fb40a6f20fcd7e5e6ead7016cfb6de7437f367417ff3038afe8fd5a6e

Download Submit
C:\Users\Admin\Desktop\BackupResume.7z

Filesize
323KB

MD5
0aad298dfc5f402351df966e8d0c116c

SHA1
84026392fdea0145a4906d5d8f4daf356dec8dd8

SHA256
a0e599578ebd5f64ea89179e513e54f06045cd7249a53226e044be434f06568d

SHA512
82bb246fbe06fe8fad96035c86c1a61ac1567d5faf96e2a0db82536a2ebc2a57bc212aa66a813bc5af8090aeda7d7896934e1718b3c3bda56bf631075af63b08

Download Submit
C:\Users\Admin\Desktop\CompleteConvertTo.mp3

Filesize
369KB

MD5
293ebfe8413a2a89accf51efc7849043

SHA1
aa54e886db83a385166cb25b6ac899e2ed893c40

SHA256
13c52908c0f14517bbed0c726931884ade0452b9a84f5fa4b131824c8e745eed

SHA512
4cf057fb7a22819b78d02ee7fc0423e60f9daa5f9d0a320e0bb7854434988de7ae21fc9c638ff7e48d3683b01086683066b01b7e5726d2b3eb47b0dc910058fb

Download Submit
C:\Users\Admin\Desktop\ConvertFromDeny.AAC

Filesize
462KB

MD5
8b0c3b8105afc35ebf091c3ef06b4a9b

SHA1
41c295af715a2694e844aea553ddd5ee901a504d

SHA256
021fc04cfbe66b8853621c69801dc45e7a6443a98aa8db13f37646b40cf40d24

SHA512
3cc338a768fdcd739460d750a58e2ee55e6e1098e7b206b112566685150d0800f3524f23272bab6756a6d2385a6001e135c4a341d78acf5b75ce5d177aee6373

Download Submit
C:\Users\Admin\Desktop\ConvertOpen.wmf

Filesize
277KB

MD5
e2d1dba693f43b730d23658fb57bfeaa

SHA1
6ba01918b72d4b0b7b872c88e218dc153a478f8c

SHA256
4f32ae6e877ff05c20b8d0591af0aea151470349a85657fddff6d912abac966b

SHA512
ec51e3f6fcaaf1f93a30e3fce048b5e790f72297d0bfb38a24a9e54ef432a7e1460e17fa28958e851f3fe3394870f337125f7b0b848bd46529218a745b078401

Download Submit
C:\Users\Admin\Desktop\DebugImport.i64

Filesize
256KB

MD5
d5c38b270d7a71f5384734df4a647bc6

SHA1
0d4ed255575e70b5872786d4c273696e52acdf3d

SHA256
f382b03e7cbec9cd0e371e4f42cd88f83bbe37cf205e42c21737f8834f0d0a0e

SHA512
73dac9bca3359a3cea84c215ebec27748684e703c3c4df76000a260d7418d70f32000f6bd990dc7d8f996ab7e210276511089e4a299a0be49cecf999bce65b74

Download Submit
C:\Users\Admin\Desktop\DenyLimit.mp4

Filesize
275KB

MD5
205d0e43465690591673bb6c575624ec

SHA1
289d408fa2e5d0734bcdc5a91a62ebc427abd98f

SHA256
c2f43c1a75e0ccd3e038fd1089376621e3998b207b234fd60d15f925eb79da08

SHA512
442a4751e9362498fc2ba763b62a06df61858e130fcfe4cd12f650bb3b51301c74ee9ace49458a5b20fcc95f3a76b7d4eead791e125bf6d7606132fd611d1cc4

Download Submit
C:\Users\Admin\Desktop\DisableOpen.mpg

Filesize
485KB

MD5
15c1095c3f2c866e82d03e6a523d8a6c

SHA1
3bbd9750d26980fd4bebdc8339abbd8c4a52dfb4

SHA256
5622afc11914f83a422756f4bb11f55aa1b7e1085bd9f8341673250193afcd6f

SHA512
af1ba2a7562ebfd85d8290604035fd0ac78609a9825cc4b51b7e5d2061363380431811967baec2e92a0c46faeb9e694651f7a11b872c03645dfbf883fd4eb003

Download Submit
C:\Users\Admin\Desktop\ExitGet.gif

Filesize
785KB

MD5
4be53e2af239f2b54cf9c2c574610e28

SHA1
d8d7342df5b127996b43fbf5e8fc59b17c67bdbc

SHA256
60dbc151b3bd2c439d0c579f577c907ec1cc1b772e870059da81d988e99506bc

SHA512
f95a074ff29cba46e29f048cb073db876b61a7926de4a554c3877d6dc004c11aa987127c98946bb0b4d7ac42208696d20d7e0341405bf10dc408f5dbf0f7b726

Download Submit
C:\Users\Admin\Desktop\ImportAdd.mhtml

Filesize
624KB

MD5
e3558fa9acfc9af2f629daa159ac4059

SHA1
f22d006cf18a9fe591fe7e062c8246f6cc25b61f

SHA256
b95c4dc89be08a4a01739989714dad3e82d0e1d6aefd0ea00aa2bdd2dbb47d08

SHA512
133cf2a8acdc605122846b8307e42028485acf8d0377c81057027a21939330c4169a371c9b5543451d58acfcfca3d113acafc30f774d0de47386da24f0cf75d5

Download Submit
C:\Users\Admin\Desktop\ImportExport.xlsb

Filesize
577KB

MD5
f03991a7e2734de518aff9a21321596d

SHA1
4446356bc187f6b94b73025e51ded3b1d069002b

SHA256
d610571086fbfb877b868b3181384c52a54fe3d88723491c5d7710b0c661cfad

SHA512
533392c83045620bd2e7d8ae1d257be6f795a1bc97982877b8351edcffc1416a9179814f0f605dcbabedbd93e5712e7f4f4f2b62d2c41a5a42fe9c362ff29b94

Download Submit
C:\Users\Admin\Desktop\InvokeMeasure.htm

Filesize
600KB

MD5
e48f9cc1af3541773f1de56e4f46008b

SHA1
99a22e7a22bd3fb105d0f47416d261b65f4044bd

SHA256
0925be48ed1d5404e4e32b376c5053c5aa925b80c9eda1480e878d0319f35352

SHA512
5ae2f3729a7e6ded65b580fa1820ceec41f4beed6abf2d88aaef906c98af30a69ff22f9564ac66bc6b30eb23dd85c8f03b0e5c088babf5bfaf8993678840efef

Download Submit
C:\Users\Admin\Desktop\JoinReset.bmp

Filesize
647KB

MD5
d53b1fe55d60bf13a06edb8d560e8101

SHA1
4f0d516e3d971d2dc9303801872245639e1892f5

SHA256
d10ec861f3fa7a0e14ef3018e466e456a7b8b6e638ff1624048e2f9f26df51ae

SHA512
ddae5ccb1f84c666630e5d8f6fa07c59073c222095f5685ac134ee604acd30e47e236f6f6587bfc1b5c5e0e64317b73e99e909377f86971f50d88a1792bc5fba

Download Submit
C:\Users\Admin\Desktop\PopRestore.ppsm

Filesize
346KB

MD5
eabb96f927337ab35d25853d30bb1ccc

SHA1
450379defdb33486d3f4520f009db3d6415b24a2

SHA256
caf4c14437e207e03330518cab0c2fc102e2ce1d8ec2aec3c014d386a69fec23

SHA512
ca04c510f1e6c43fd1981ee5d34c53731373766632392c995e1d80ceddf392bfef19e39f264d59073e3a34a2e6ccebda0061fc05812a2343504addc176eb9973

Download Submit
C:\Users\Admin\Desktop\ProtectTest.doc

Filesize
762KB

MD5
a6613a649a6628c5bed397bf923215e6

SHA1
e45e131fdf10a1c43586c7c4f922473b890f0416

SHA256
a11885800ba009d908d872f4af0624ca66ef827e77ce1a0252e46751d605ef09

SHA512
be549b22a1d87a9d8d67dc02529990bdf662267d94ac89d2867bd0710bd39bb961100c2dbc78f545d4e07054a7db877eb9095460df8bf397c3bfb6f5dbfac376

Download Submit
C:\Users\Admin\Desktop\ProtectTest.vsw

Filesize
416KB

MD5
b6d065c98e0bbfadf40423370cb9edef

SHA1
46cc28a30ecf6cc1ddf9bf7ff13f63e1c7b014f4

SHA256
c39d065dc01ea8cd11ad901eebd47879b8076e1a7f05d5d1b40a7e7cc2f8c535

SHA512
d4f86ec2977c9d9ae67d621c0ebdbb407f5c6c8b9d47cad23f613921869cb823124591ff2be42694012590e5012e6b7ad432e69273fd339be4bb6a1fba1e9e43

Download Submit
C:\Users\Admin\Desktop\ReceiveBackup.sys

Filesize
739KB

MD5
ba97aa9dcf5f9509a396f8dabeffa909

SHA1
8fe22ca37956afdfe78eb138418a9550a46b5fb3

SHA256
46274f40d3b5fca6389d9ba6f4922818884e221b7be44aaa91617c308f9235e0

SHA512
baab25cd89024c490a5494f5d6922cf182b7733371728ef93d76f73859f91ff0438e442dfb59fe8eebc4acb56d225561b3981f2328ebf6ccb3f877415bf4b9a6

Download Submit
C:\Users\Admin\Desktop\ResolveAssert.mov

Filesize
300KB

MD5
dea91339d0d6c912916e5fa4ec8d72bf

SHA1
f07bd9d673f0740bf48fc9ca6b0ad04737f31595

SHA256
b14eed5abc162600d80f55dcb9ab3a8056cc5e19d3aace824def3fa5225b5805

SHA512
3b2f27455f8a5cd380334894dc5e2dba2fc543c367c2d570ca9131c0365ed827105467b9c4a2f7356b2125ec74e9c12f4f87718731d88fd9dd305781c4974403

Download Submit
C:\Users\Admin\Desktop\ResolveUpdate.jpg

Filesize
554KB

MD5
9f6c80fb01de92db6b4ffabae5697c73

SHA1
3193d0573d619a805094b95ebc54db172e304bf9

SHA256
b4f06366b140bcc194dc3d6745d28978747959016ff8572e7984ebd256e666ba

SHA512
88dd94aa7eeee466842c5871670c13f1fc55b2d9881f4ede3539c8b26ef33a79f5603891ccc1a119c1a0b80a95a48ab5f42737620d72d0e7f9cfd275a533fefd

Download Submit
C:\Users\Admin\Desktop\SaveTrace.wmv

Filesize
508KB

MD5
6da1cc7c9ca74fd140dd1ff68efb59ad

SHA1
20fc4ea3b931aa4d5944b822ab40b357da068542

SHA256
e3716323db2f841b3079243ff12445bb0d91e3037048e02a1116ca4a9102992a

SHA512
8ad3c9e7e82b50aeafa5e45d27bc505c5ef236af0d8da4b731991a489428acac9df573b2ffa4ff1bfb210758955d825b00f86d74be705f523595c4386f983dbf

Download Submit
C:\Users\Admin\Desktop\SelectProtect.svg

Filesize
670KB

MD5
cd5220e2778572c2a55a12e4b17370a1

SHA1
77a880da9c236f2bb38448c4465be3787bea5aaa

SHA256
8922dffc04d36d3efe59d9de0fbf558268b53435e1daf3994507d98934822c13

SHA512
bfea7b0442db27972c58dab7d3765b608abb050f2f8da5379fc96f13f5f9a7470448f1b2a9d143ab8e9cdcc46e516c3c56f7899a06bd5e046786f6b8f12c171d

Download Submit
C:\Users\Admin\Desktop\SelectPush.rtf

Filesize
716KB

MD5
bdb8059ebe3d7f363e66c6cccf921ff9

SHA1
6fc2ca3a32ebaa5acdcb3be15c9d409cdd0068d9

SHA256
cb1074cbeb7d6b13fc6f8e65a9a71b2e85d7a734357a1610e1cfe770e4d18340

SHA512
69f530c2d3fa43390b6afe9531fbd250cad96a285d0e1c3b66a1f149d7beacb245d23a9df1f3a0c882424c56a84376c6882fdcc16c198ea2b2d5552f1ff7ef8e

Download Submit
C:\Users\Admin\Desktop\SwitchUse.mpeg3

Filesize
392KB

MD5
72450655389a7d5efed1ebff106d371b

SHA1
43ca952bebf110f3841eb98626f83c040f0c6647

SHA256
422b75f6733441618a6a62f5f412979165a2cb98d648e1f74d18ed365998ca54

SHA512
7f3969182daec764e96d668a9e04f6c13d0afa5afd130622c9c0300304daf32e0876d56e6452d02566e724d0fbc0a7984717cb11e68979283f65cf0d8a796f71

Download Submit
C:\Users\Admin\Desktop\UnpublishMerge.gif

Filesize
531KB

MD5
10ca5bf1ca1719aaf7a477adf4c00ae0

SHA1
b8f55ca4d7c4f133b3625063e9795d12ef180800

SHA256
8c6c665b6f94015a9247c805ce43e1d9367c60d45f82bfe83e91d7d052a2253b

SHA512
fd91ac6658d8bc3fa5ca2bd38d710ebab1f3697a4450587c179f5e75f42c14163bad1acc0c74c022c565f4ee0111aa8ed65008c096cc3ba80cc1cb1cc1ca0a37

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk

Filesize
1KB

MD5
00fdaca0a6c748d6489eed38b30f663a

SHA1
d8b2a8c34e6316ecf7f66b29feca160481b219d1

SHA256
187f8a4d6401ff9e3287b4a0c4d02ac33c435c20b7a323a5d4aaf5601d69fb96

SHA512
b8f9b85a081be1798fb3a8e36dfa7a7ea1beaff52f6c83c04b3dfb501be0e48a99b0be73ecb2b02406fa2f9a3be8d746374afbca9828bba57c293ef6a537ce51

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
931B

MD5
217cd3179f1b39d00fe8a4fef545e929

SHA1
7c7ab197d05d700a06e7c60f6b594429655270ef

SHA256
a76121572039fd2f286409186c98c1a1b31a74636ba2d9b4ebd17283bd54380c

SHA512
3834e730ed599dc06bd427dfe1be9d74acf8720aa7baab86de2f91bdd3ff8f09c28f0e288aff9eb87b03345da1603a2c345ed224d37971c47c142ce7318c9a22

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
ae8ea2d31b3901ff5d3a039393078b26

SHA1
a5990e3aa2302b092334ed02547d9b6aca000bb9

SHA256
e237a12c70213c56a57ffdcaf7fbcd5bf8a6b53280bb6f93709f9a1e093f3261

SHA512
10734a504ec300b53fc916d35f29acd30fb1b94e0377e41f33cc9a15a238687d861e03d19707a2636380b068051ecd54d777d950a5c858bc42c1f5552ff44932

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
878B

MD5
b176a65f9cfd1c99fa6bf99a84f855d2

SHA1
98c39bcd42f07e792910bfea2f6534467e878cb2

SHA256
16a8ab91b757de42af45055bdffb5d9a4964349be861667b23dae7b0125f1729

SHA512
441e578b8f451a0a6028630f431e0f8faa98651c391ddc3fcb42bd6108a946a37976f0b2a2462cd6011fdd9d85efe3a667414ac965789aa247cdd7b25671e282

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1014B

MD5
6370af232d4fd25d542da59eedb851d7

SHA1
57f3eee511ac384e88e2578bcddbca0d130eaaa9

SHA256
cee379bb0152545fa11817c2793d8b04edf3f75b063dbddb3635a8e810b4c02d

SHA512
fefbddc3fb1012f892153ba40d8842c36115bee115e16f0eccbab55df7ec27a7cf9a736ea4cba71f1337942655544073b23b68460d6506589c142499575de0e5

Download Submit
\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe

Filesize
960KB

MD5
a0edf03b318f3e57f5be1ad451b89066

SHA1
1c7b4dc4ff076c39a9d11dae0d57c0ccb54213b6

SHA256
686d9074d320ff9f37c657f8f29e9549f45bab8342524437205ff74396b4ada4

SHA512
832b2090c8dca5c2a175785ca5ea8d1d9b671441ae8481a7023b38cd37163c0d4bd870acb734cabd94ea6b5e44209a63e035196cc0b5d2561393b06b3cf73ce8

Download Submit
\ProgramData\yhdrdrurzmhh\rykmnxwyylqw.exe

Filesize
576KB

MD5
5b4cbd16f076d3ab417230e36874e849

SHA1
cfa077b8d40b5c7e9dcc93429dadcba929eced91

SHA256
0ec09e4d8b29b12b76d856f82fa82c1ba3c7a22ccac5f151eeaf58ccee0129c2

SHA512
af53e3ea12923015d505516c20de7861c38d7e8512de091fe4a06c23cdcaef88c327fe2b81922068ea06f4478d387191d11fdf6dd4e2d29934b5a90ce8170a34

Download Submit
\Users\Admin\AppData\Local\Temp\Etc.exe

Filesize
768KB

MD5
ed603f236b4486674aa3c107393f1a38

SHA1
708085328281973b0d44f0280d8a7fc05588f0e7

SHA256
48c1163ad6b65678495ef1b359345ddb4feaf2a447f2fe5678e5f9a3049992db

SHA512
87e0a333f4d8cc87ca1c1b3295ef587b3921b25c90b43a20c7e4927319d3a68f1d931e3d548c50c450a1224a55e6cec348abf42d500134c1a2236ded0ec7d9f3

Download Submit
\Users\Admin\AppData\Local\Temp\Etc.exe

Filesize
384KB

MD5
527760c36bebce85d3fbf68ae0eb19b2

SHA1
9755ae49c3d2301f313e55f61a2e9ad63bcf667f

SHA256
20d7fb84206b6857d5af4ac24d00813816d9b7092aebc4d2725d6cbef34c59e0

SHA512
ab9d8a01437d2581de081c0e53313d148a8e59d4a795e95aee3fbb1bd104a321078e3acf688aae4cb9c1be3165fb62c50cec85e3a63ea06b70936d17bfe92a13

Download Submit
memory/544-58-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/544-62-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/544-55-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/544-59-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/544-66-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/544-69-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/544-60-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/544-56-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/884-95-0x000007FEECD10000-0x000007FEED6AD000-memory.dmp

Filesize
9.6MB

Download
memory/884-75-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/884-78-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/884-77-0x000007FEECD10000-0x000007FEED6AD000-memory.dmp

Filesize
9.6MB

Download
memory/884-94-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/884-83-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/884-82-0x000007FEECD10000-0x000007FEED6AD000-memory.dmp

Filesize
9.6MB

Download
memory/884-76-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1656-114-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/1656-120-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/1656-123-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-117-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/1656-115-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-116-0x0000000000FF0000-0x0000000001070000-memory.dmp

Filesize
512KB

Download
memory/1960-67-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1960-61-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1960-57-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-65-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-64-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1960-63-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1960-68-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-1-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-38-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-2-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2236-0-0x0000000000010000-0x0000000000254000-memory.dmp

Filesize
2.3MB

Download
memory/2540-33-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-80-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-32-0x0000000000B60000-0x0000000000B78000-memory.dmp

Filesize
96KB

Download
memory/2540-44-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2616-131-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download
memory/2616-132-0x000007FEECD10000-0x000007FEED6AD000-memory.dmp

Filesize
9.6MB

Download
memory/2616-130-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/2744-141-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-144-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-139-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-140-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-142-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2744-146-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2856-105-0x000000001A670000-0x000000001A6F0000-memory.dmp

Filesize
512KB

Download
memory/2856-17-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-19-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2856-79-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-43-0x000000001A670000-0x000000001A6F0000-memory.dmp

Filesize
512KB

Download
memory/2872-119-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2872-121-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2872-112-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2872-122-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-108-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2872-113-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2872-111-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2872-118-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-110-0x000007FEED6B0000-0x000007FEEE04D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-39-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-40-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2876-41-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-96-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-89-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2876-88-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2920-42-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/2920-45-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2920-11-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2920-9-0x0000000000EC0000-0x0000000000F00000-memory.dmp

Filesize
256KB

Download