njrat | e64b88e64954b01b43964a3913adab7f0b6e1605492da920e1ad300a7158c423

Analysis

max time kernel
149s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/04/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ez Dork Gen DELUXE.exe
Size

1.2MB
MD5

89fffdc32e34b6239d4dcc7ddd8f8fc2
SHA1

a33a1787b8a8768c421ba454b266925128f37818
SHA256

e64b88e64954b01b43964a3913adab7f0b6e1605492da920e1ad300a7158c423
SHA512

ed7fd226cd2e0eabcbc16408d996a84e16d8ed03f97833c56c9939db2512e115806e8027dfd67323b72af3b9058a08c9efee3f9f3b44cc888c348e379c00e40c
SSDEEP

24576:uYVqnp6FJRK3avGmAT8QE+kw0YSLx3PKFT:ufnp6DRKOAI+4P9+T

Score

10^/10

njrat hacked discovery evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

jcpanel.hackcrack.io:39254

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2228	netsh.exe

Executes dropped EXE 8 IoCs

pid	Process
196	TempSetup.exe
1600	~Ez_Dork_Gen_DELUXE.exe
4752	Setup.exe
4160	svchost.exe
2076	svchost.exe
708	explorer.exe
2184	version.exe
4108	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Networking System = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common User Networking = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1548	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
708	explorer.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
4588	powershell.exe
4588	powershell.exe
3912	powershell.exe
3912	powershell.exe
4588	powershell.exe
4664	powershell.exe
4664	powershell.exe
3848	powershell.exe
2620	powershell.exe
2620	powershell.exe
3912	powershell.exe
4460	powershell.exe
4460	powershell.exe
4588	powershell.exe
4664	powershell.exe
2620	powershell.exe
3912	powershell.exe
4460	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	708	explorer.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeIncreaseQuotaPrivilege	3848	powershell.exe
Token: SeSecurityPrivilege	3848	powershell.exe
Token: SeTakeOwnershipPrivilege	3848	powershell.exe
Token: SeLoadDriverPrivilege	3848	powershell.exe
Token: SeSystemProfilePrivilege	3848	powershell.exe
Token: SeSystemtimePrivilege	3848	powershell.exe
Token: SeProfSingleProcessPrivilege	3848	powershell.exe
Token: SeIncBasePriorityPrivilege	3848	powershell.exe
Token: SeCreatePagefilePrivilege	3848	powershell.exe
Token: SeBackupPrivilege	3848	powershell.exe
Token: SeRestorePrivilege	3848	powershell.exe
Token: SeShutdownPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeSystemEnvironmentPrivilege	3848	powershell.exe
Token: SeRemoteShutdownPrivilege	3848	powershell.exe
Token: SeUndockPrivilege	3848	powershell.exe
Token: SeManageVolumePrivilege	3848	powershell.exe
Token: 33	3848	powershell.exe
Token: 34	3848	powershell.exe
Token: 35	3848	powershell.exe
Token: 36	3848	powershell.exe
Token: SeIncreaseQuotaPrivilege	4588	powershell.exe
Token: SeSecurityPrivilege	4588	powershell.exe
Token: SeTakeOwnershipPrivilege	4588	powershell.exe
Token: SeLoadDriverPrivilege	4588	powershell.exe
Token: SeSystemProfilePrivilege	4588	powershell.exe
Token: SeSystemtimePrivilege	4588	powershell.exe
Token: SeProfSingleProcessPrivilege	4588	powershell.exe
Token: SeIncBasePriorityPrivilege	4588	powershell.exe
Token: SeCreatePagefilePrivilege	4588	powershell.exe
Token: SeBackupPrivilege	4588	powershell.exe
Token: SeRestorePrivilege	4588	powershell.exe
Token: SeShutdownPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeSystemEnvironmentPrivilege	4588	powershell.exe
Token: SeRemoteShutdownPrivilege	4588	powershell.exe
Token: SeUndockPrivilege	4588	powershell.exe
Token: SeManageVolumePrivilege	4588	powershell.exe
Token: 33	4588	powershell.exe
Token: 34	4588	powershell.exe
Token: 35	4588	powershell.exe
Token: 36	4588	powershell.exe
Token: SeIncreaseQuotaPrivilege	3912	powershell.exe
Token: SeSecurityPrivilege	3912	powershell.exe
Token: SeTakeOwnershipPrivilege	3912	powershell.exe
Token: SeLoadDriverPrivilege	3912	powershell.exe
Token: SeSystemProfilePrivilege	3912	powershell.exe
Token: SeSystemtimePrivilege	3912	powershell.exe
Token: SeProfSingleProcessPrivilege	3912	powershell.exe
Token: SeIncBasePriorityPrivilege	3912	powershell.exe
Token: SeCreatePagefilePrivilege	3912	powershell.exe
Token: SeBackupPrivilege	3912	powershell.exe
Token: SeRestorePrivilege	3912	powershell.exe
Token: SeShutdownPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeSystemEnvironmentPrivilege	3912	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1600	~Ez_Dork_Gen_DELUXE.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
708	explorer.exe
708	explorer.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 196	2812	Ez Dork Gen DELUXE.exe	73
PID 2812 wrote to memory of 196	2812	Ez Dork Gen DELUXE.exe	73
PID 2812 wrote to memory of 196	2812	Ez Dork Gen DELUXE.exe	73
PID 2812 wrote to memory of 1600	2812	Ez Dork Gen DELUXE.exe	74
PID 2812 wrote to memory of 1600	2812	Ez Dork Gen DELUXE.exe	74
PID 196 wrote to memory of 4752	196	TempSetup.exe	75
PID 196 wrote to memory of 4752	196	TempSetup.exe	75
PID 4752 wrote to memory of 4160	4752	Setup.exe	77
PID 4752 wrote to memory of 4160	4752	Setup.exe	77
PID 4752 wrote to memory of 4160	4752	Setup.exe	77
PID 4160 wrote to memory of 2076	4160	svchost.exe	78
PID 4160 wrote to memory of 2076	4160	svchost.exe	78
PID 2076 wrote to memory of 708	2076	svchost.exe	79
PID 2076 wrote to memory of 708	2076	svchost.exe	79
PID 708 wrote to memory of 3260	708	explorer.exe	80
PID 708 wrote to memory of 3260	708	explorer.exe	80
PID 2184 wrote to memory of 4896	2184	version.exe	83
PID 2184 wrote to memory of 4896	2184	version.exe	83
PID 2184 wrote to memory of 5080	2184	version.exe	84
PID 2184 wrote to memory of 5080	2184	version.exe	84
PID 2184 wrote to memory of 4740	2184	version.exe	85
PID 2184 wrote to memory of 4740	2184	version.exe	85
PID 2184 wrote to memory of 1320	2184	version.exe	86
PID 2184 wrote to memory of 1320	2184	version.exe	86
PID 2184 wrote to memory of 4116	2184	version.exe	89
PID 2184 wrote to memory of 4116	2184	version.exe	89
PID 2184 wrote to memory of 3564	2184	version.exe	90
PID 2184 wrote to memory of 3564	2184	version.exe	90
PID 3564 wrote to memory of 4588	3564	cmd.exe	98
PID 4116 wrote to memory of 3848	4116	cmd.exe	97
PID 4116 wrote to memory of 3848	4116	cmd.exe	97
PID 3564 wrote to memory of 4588	3564	cmd.exe	98
PID 4896 wrote to memory of 3912	4896	cmd.exe	99
PID 4896 wrote to memory of 3912	4896	cmd.exe	99
PID 1320 wrote to memory of 4664	1320	cmd.exe	100
PID 1320 wrote to memory of 4664	1320	cmd.exe	100
PID 4740 wrote to memory of 4460	4740	cmd.exe	101
PID 4740 wrote to memory of 4460	4740	cmd.exe	101
PID 5080 wrote to memory of 2620	5080	cmd.exe	102
PID 5080 wrote to memory of 2620	5080	cmd.exe	102
PID 708 wrote to memory of 4108	708	explorer.exe	105
PID 708 wrote to memory of 4108	708	explorer.exe	105
PID 4108 wrote to memory of 2228	4108	explorer.exe	106
PID 4108 wrote to memory of 2228	4108	explorer.exe	106

C:\Users\Admin\AppData\Local\Temp\Ez Dork Gen DELUXE.exe
"C:\Users\Admin\AppData\Local\Temp\Ez Dork Gen DELUXE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\TempSetup.exe
  "C:\Users\Admin\AppData\Local\TempSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:196
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\z1pqnk2n.inf
        7⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:2228
- C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe
  "C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:1600

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4588

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
8d18f3de2c2704260954b598bb8ebf54

SHA1
83dd524eed6154c8829319f0767487ef48192170

SHA256
5dbf5bb426a5ea6c1c0f5765145d4d73ad77140cda0d14bf9ef64716fb9be7fe

SHA512
703df088e1c01ed999f4f95188bffc25b62a7309bfcef071f3905465c0fa709a74d14adc8b3e8f509f2dd224afb4925351fe82e19227c3e1f94012e1ce209b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ee317023361c70de122f439b9d3bbf39

SHA1
c93675cc2cb8ca9b001989829ea03b3afe10e237

SHA256
1179e46df1ca4985aa27033e035440cefa779cc977657281d63541aeaa8cccab

SHA512
ee9ea5c6f5a58b1f99eb13028328ce6efdfcc362889b4a0a0670828a68a9d33c8cabaeca82202d5072efdb33abdb4c7061609cee67a504c9220194136191420a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c77dcac4fc53b7497b29b6ca2a66c36

SHA1
4bf4bd29661c1ee5d3c54350c3aaf0b5861a5847

SHA256
c3a615ce1b2ca854d46186b80ce8419f215c65192430fdde0f74ff08e47cb166

SHA512
b9b97dc8143a49844fe7934664b4da3246a7379e757d3d77c33cf55d07eea1845799e47521a1be6407fa5c3b999b9d68908cdaf2d1446480743b8abcf98f855a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abcc7373ca30c1b4ed4f7803e5c11ded

SHA1
4ef947b243438ee952033bcd533f5f9aeeb4ddca

SHA256
a5760f9088ce6c208f703d1160941e62bc2f255f0bb78a6c48e8673ce00c4984

SHA512
f1d8457de781672bb426e898661340047ab7ffdc85bd80a2be602b27bf0ed89fdb70be5f3b05db479a9e559ffcff7df3f942e45bfff8873be54fcb0e744ccb1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a71bd22e4d0745f4d53fefb2ba8f655d

SHA1
a6c8ad44db7d2a441363285078636f331ece0652

SHA256
53a585ad273694c6df3b14a22d0084119d52d59f6a4ccdf8158c6b77327e824a

SHA512
5b5ec1b6c6445b42a6e2976b54de8498ba5574c47cd1d6d7c8965fc154290fcbf37287908eeea33e3efef8f0b66a27197ddd96b850d386f2a3b707e1a9f2350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25eb80b16e235ead88f424cca204f295

SHA1
d78ae7674b8e3f3ee4763b59c408908abb9158fa

SHA256
daa4aae44f6a9b5d4bc8be078ede6e1cc868af021a06e6b7842a278a5c659e29

SHA512
13271486bbb092682246478a00ffe89a7dd777bf279bae67eb17a75079ba86a75b9b7f6224028778349a16e9bb3181be52a05d2a5650ad1ea399f5a8fb36c20b

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe

Filesize
446KB

MD5
8cda5c66b6f92209c94ae927be3d895f

SHA1
beb062bbdaeb180c8438f0762eddfeb59609fc02

SHA256
71520637e17ca9034beec82a6c5fe21a0907e2fa8cdb376213e80535f41de6e4

SHA512
c1b71e46c5a52c037a055aa7de1d16e6542e86d75751d2e26fc248875086745934493aa7a06c6faeed378006f5db13e62377ff6dfa85e9d1e215f5a6ab600436

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ywythr1.hqo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1pqnk2n.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Ez_Dork_Gen_DELUXE.exe

Filesize
748KB

MD5
804cc6ded884925885f409a88e7244d0

SHA1
ff29d809529b139c142fff0bc52c42bac4929e72

SHA256
a60187fe7b2c794a2bc26d6eb86c4f292d2ed4c09871e14f661d8853eaa19ac4

SHA512
f394e50fded112f90b8d771acd0d7cb8e82a2dc40fff1f6745cda00d955147830d2fb2de23e4dd131875ca7a7c0284779d8c2925f29ebab3c3eb1a49d5c57953

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe

Filesize
163KB

MD5
70d31b039542364d301ffa99a7262c3e

SHA1
e5108cb3fcaf8f4c27fcd0b55031e40eeeca1e2e

SHA256
d77315e0cfbd8cd4a98cfe5a7a60961a9611e6d2a09f40317e4cced3e82d6724

SHA512
d8adaf463f6696479662217ada57fc7609ac0b31b55d99027efe3a935e8a9782dd7d821598fe6e6c477608353890a329f382b9828499ae6d4736e8636bcba1d2

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe

Filesize
264KB

MD5
769c40e5c372c2dd21a3f472fff8d7e2

SHA1
7cc1caf7312dd4e6d5abf74f2060f578abab0821

SHA256
74439b22002f86bd45bca78cd5ebd578a8b17979ab73311182cce63573eacbe6

SHA512
6958838b35dee41fb702d679a195e9abfe0233644d4e73f2dedb2144b34470359ce6fb6c81506594d5339a524b01aa61755b82bdb1c850ceec8da6266fd3fc4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\Setup.exe

Filesize
405KB

MD5
f64b69094e9cc63e63acec2be76bee4a

SHA1
186733004af7ce6770883c9f8a1d658cdff67804

SHA256
9c7ddac49954d267fe6ab5653bc1020c1058c216b6bcab6b6298333c8940988c

SHA512
2872845d0a6a13895daac078b6f76413fd1f3ce68cade3de7d04d89168136153df28cc75bdea147d8f6cb29ecf82d255fd3f13cab14fb821a0b5549128660922

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe

Filesize
224KB

MD5
e57116b451a51b5df2bf18fbed325ec9

SHA1
246f02ebe5db0a117b74505173b7af84b7b22a2f

SHA256
f9259324de42908849269f679c87cc0ef8096c30d854a72ee57b57e9bb8b59f7

SHA512
1ecaa07b459d335fe108b3dceff1392d37be7814a58e5a30a42bae305c75bc8a3c8c1dbdd313f5276f5a46ec8a4d0409fb918ea966aff58b200e94e2a5a02f73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
11KB

MD5
10d90137afcca51c429a2c0aa78c92d6

SHA1
c7cb2762e0a31b06aaca0c440db5556fd23df24f

SHA256
44a4f73cc6a5a89208372ded41ed5e3cecc8bf2064ee1224275f21061dae11a1

SHA512
c914381e197450f3e576d3c77f103796be594444499ff2397e0bb74f9249baff973ea5c66ab42540835e060ad6032694fc2b8d01c95795d71adf6f1c91d000b0

Download Submit
memory/196-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/708-85-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/1600-20-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/1600-373-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/2812-5-0x0000000002AA0000-0x0000000002AA8000-memory.dmp

Filesize
32KB

Download
memory/2812-369-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

Filesize
9.6MB

Download
memory/2812-8-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2812-372-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2812-371-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

Filesize
9.6MB

Download
memory/2812-370-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2812-0-0x000000001B880000-0x000000001B926000-memory.dmp

Filesize
664KB

Download
memory/2812-6-0x000000001C520000-0x000000001C56C000-memory.dmp

Filesize
304KB

Download
memory/2812-7-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

Filesize
9.6MB

Download
memory/2812-4-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2812-3-0x000000001C400000-0x000000001C49C000-memory.dmp

Filesize
624KB

Download
memory/2812-2-0x000000001BE90000-0x000000001C35E000-memory.dmp

Filesize
4.8MB

Download
memory/2812-1-0x00007FFA7ED20000-0x00007FFA7F6C0000-memory.dmp

Filesize
9.6MB

Download
memory/3848-120-0x0000026059730000-0x00000260597A6000-memory.dmp

Filesize
472KB

Download
memory/3848-113-0x0000026041400000-0x0000026041422000-memory.dmp

Filesize
136KB

Download
memory/4160-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-37-0x000000001DB70000-0x000000001DBA4000-memory.dmp

Filesize
208KB

Download
memory/4752-40-0x000000001EEE0000-0x000000001EFD2000-memory.dmp

Filesize
968KB

Download