njrat | 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4

Analysis

max time kernel
299s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-05-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
Size

9.0MB
MD5

8e575057308494a02213dd094240048f
SHA1

e14cb5b49926f48417fd3b3ce55282c20f0e2f41
SHA256

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4
SHA512

e50a74e824d4e1050893b4d19f63ce4298a0679d982d42b3a49e74fb6fa1664f29e26e24738263aca364a3bffa9659caa98149147a3bb1d2ca37f42a531db3ea
SSDEEP

196608:Y0jlDwGcsAgejtcGfcY3gtAXSdyowjcOSP9FtCNb:1k3meBcGfdrSNm47CNb

Score

10^/10

njrat hacked evasion execution persistence pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

icpanel.hackcrack.io:40544

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2636	powershell.exe
344	powershell.exe
4208	powershell.exe
2300	powershell.exe
3088	powershell.exe
2456	powershell.exe
3088	powershell.exe
2456	powershell.exe
2636	powershell.exe
344	powershell.exe
4208	powershell.exe
2300	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4412 netsh.exe
Executes dropped EXE 8 IoCs

Processes:

Setup.exeSetup.exesvchost.execheck .execheck .exeexplorer.exeversion.exeexplorer.exe

pid process

4116 Setup.exe
4412 Setup.exe
1864 svchost.exe
2292 check .exe
2864 check .exe
1000 explorer.exe
1364 version.exe
2784 explorer.exe

pid	process
4412	netsh.exe

pid	process
4116	Setup.exe
4412	Setup.exe
1864	svchost.exe
2292	check .exe
2864	check .exe
1000	explorer.exe
1364	version.exe
2784	explorer.exe

Loads dropped DLL 17 IoCs

Processes:

check .exe

pid	process
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe
2864	check .exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Setup.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\check .exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3524 taskkill.exe

pid	process
3524	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe
1000	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeexplorer.exepowershell.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1864	svchost.exe
Token: SeDebugPrivilege	1000	explorer.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2456	powershell.exe
Token: SeSecurityPrivilege	2456	powershell.exe
Token: SeTakeOwnershipPrivilege	2456	powershell.exe
Token: SeLoadDriverPrivilege	2456	powershell.exe
Token: SeSystemProfilePrivilege	2456	powershell.exe
Token: SeSystemtimePrivilege	2456	powershell.exe
Token: SeProfSingleProcessPrivilege	2456	powershell.exe
Token: SeIncBasePriorityPrivilege	2456	powershell.exe
Token: SeCreatePagefilePrivilege	2456	powershell.exe
Token: SeBackupPrivilege	2456	powershell.exe
Token: SeRestorePrivilege	2456	powershell.exe
Token: SeShutdownPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeSystemEnvironmentPrivilege	2456	powershell.exe
Token: SeRemoteShutdownPrivilege	2456	powershell.exe
Token: SeUndockPrivilege	2456	powershell.exe
Token: SeManageVolumePrivilege	2456	powershell.exe
Token: 33	2456	powershell.exe
Token: 34	2456	powershell.exe
Token: 35	2456	powershell.exe
Token: 36	2456	powershell.exe
Token: SeIncreaseQuotaPrivilege	344	powershell.exe
Token: SeSecurityPrivilege	344	powershell.exe
Token: SeTakeOwnershipPrivilege	344	powershell.exe
Token: SeLoadDriverPrivilege	344	powershell.exe
Token: SeSystemProfilePrivilege	344	powershell.exe
Token: SeSystemtimePrivilege	344	powershell.exe
Token: SeProfSingleProcessPrivilege	344	powershell.exe
Token: SeIncBasePriorityPrivilege	344	powershell.exe
Token: SeCreatePagefilePrivilege	344	powershell.exe
Token: SeBackupPrivilege	344	powershell.exe
Token: SeRestorePrivilege	344	powershell.exe
Token: SeShutdownPrivilege	344	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeSystemEnvironmentPrivilege	344	powershell.exe
Token: SeRemoteShutdownPrivilege	344	powershell.exe
Token: SeUndockPrivilege	344	powershell.exe
Token: SeManageVolumePrivilege	344	powershell.exe
Token: 33	344	powershell.exe
Token: 34	344	powershell.exe
Token: 35	344	powershell.exe
Token: 36	344	powershell.exe
Token: SeIncreaseQuotaPrivilege	4208	powershell.exe
Token: SeSecurityPrivilege	4208	powershell.exe
Token: SeTakeOwnershipPrivilege	4208	powershell.exe
Token: SeLoadDriverPrivilege	4208	powershell.exe
Token: SeSystemProfilePrivilege	4208	powershell.exe
Token: SeSystemtimePrivilege	4208	powershell.exe
Token: SeProfSingleProcessPrivilege	4208	powershell.exe
Token: SeIncBasePriorityPrivilege	4208	powershell.exe
Token: SeCreatePagefilePrivilege	4208	powershell.exe
Token: SeBackupPrivilege	4208	powershell.exe
Token: SeRestorePrivilege	4208	powershell.exe
Token: SeShutdownPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

1000 explorer.exe
1000 explorer.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exeSetup.execheck .exesvchost.exeexplorer.exeversion.execmd.execmd.execmd.execmd.execmd.execmd.exeexplorer.exe

description	pid	process	target process
PID 500 wrote to memory of 4116	500	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 500 wrote to memory of 4116	500	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 500 wrote to memory of 4412	500	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 500 wrote to memory of 4412	500	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 4116 wrote to memory of 1864	4116	Setup.exe	svchost.exe
PID 4116 wrote to memory of 1864	4116	Setup.exe	svchost.exe
PID 500 wrote to memory of 2292	500	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 500 wrote to memory of 2292	500	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 2292 wrote to memory of 2864	2292	check .exe	check .exe
PID 2292 wrote to memory of 2864	2292	check .exe	check .exe
PID 1864 wrote to memory of 1000	1864	svchost.exe	explorer.exe
PID 1864 wrote to memory of 1000	1864	svchost.exe	explorer.exe
PID 1000 wrote to memory of 4152	1000	explorer.exe	cmstp.exe
PID 1000 wrote to memory of 4152	1000	explorer.exe	cmstp.exe
PID 1364 wrote to memory of 4328	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 4328	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 3208	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 3208	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 1452	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 1452	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 4352	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 4352	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 2468	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 2468	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 4928	1364	version.exe	cmd.exe
PID 1364 wrote to memory of 4928	1364	version.exe	cmd.exe
PID 4328 wrote to memory of 3088	4328	cmd.exe	powershell.exe
PID 4328 wrote to memory of 3088	4328	cmd.exe	powershell.exe
PID 1452 wrote to memory of 2456	1452	cmd.exe	powershell.exe
PID 1452 wrote to memory of 2456	1452	cmd.exe	powershell.exe
PID 2468 wrote to memory of 344	2468	cmd.exe	powershell.exe
PID 2468 wrote to memory of 344	2468	cmd.exe	powershell.exe
PID 4928 wrote to memory of 2636	4928	cmd.exe	powershell.exe
PID 4928 wrote to memory of 2636	4928	cmd.exe	powershell.exe
PID 3208 wrote to memory of 4208	3208	cmd.exe	powershell.exe
PID 3208 wrote to memory of 4208	3208	cmd.exe	powershell.exe
PID 4352 wrote to memory of 2300	4352	cmd.exe	powershell.exe
PID 4352 wrote to memory of 2300	4352	cmd.exe	powershell.exe
PID 1000 wrote to memory of 2784	1000	explorer.exe	explorer.exe
PID 1000 wrote to memory of 2784	1000	explorer.exe	explorer.exe
PID 2784 wrote to memory of 4412	2784	explorer.exe	netsh.exe
PID 2784 wrote to memory of 4412	2784	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
"C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\vaqrtayk.inf
5⤵
PID:4152

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:4412

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
PID:4412

C:\Users\Admin\AppData\Local\Temp\check .exe
"C:\Users\Admin\AppData\Local\Temp\check .exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\check .exe
"C:\Users\Admin\AppData\Local\Temp\check .exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log
Filesize
408B

MD5
ada7572a2723a67c8537985d082dacc9

SHA1
2900cc8a1cac3a9cbef8d46d5fa6b7e2d485a306

SHA256
e82e82cdd6eda8461b3b727059294b0a21f56218d854b72d3918b68232b60e7d

SHA512
1c65643d6f2f0f559fd3e1072c12a126a5fea4203fa6903fd7e59420d8899fa4ada3eb241b7e19e0b748e78259f9296aa89a16a5bbf21cf84d4fc6e40fec08db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log
Filesize
676B

MD5
8d18f3de2c2704260954b598bb8ebf54

SHA1
83dd524eed6154c8829319f0767487ef48192170

SHA256
5dbf5bb426a5ea6c1c0f5765145d4d73ad77140cda0d14bf9ef64716fb9be7fe

SHA512
703df088e1c01ed999f4f95188bffc25b62a7309bfcef071f3905465c0fa709a74d14adc8b3e8f509f2dd224afb4925351fe82e19227c3e1f94012e1ce209b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
7033adcdceef2520521477b094e52cc7

SHA1
6dbdc3aba745a40a79f2eb659f2b427aaf5ff62e

SHA256
bb10a63597ebc56a9c5e558c7b5bed8c1dde4856f7604ab987998d10eda3ac4e

SHA512
af9249bd6a64e28d1b03ce962618ce2a7e5a55dc57d1dbc8efcf2e4142e74f40e58b144952981c3a86771a9fd207e73986130edf7b7dfde2495347e284e8287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f9e5149072b51719ed7be2f23cb820f8

SHA1
5bc52144121da8c3b61d65a3b5c4057764698349

SHA256
ca26cdb40bde24bbdc2d8635356fd997e8e060f47801956353a3dd903073e89f

SHA512
ee86af6c780201fe15bc8119398c13e028145cd5f0cd3b0a4b6b0cc8ddce69bf1dc644f87d977df33d9a98e9b1a82a2c4d60b60017217cf1e365a9a9c3009f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8243c4a9ef415087320a7d5731fc044b

SHA1
19d06f0814b61edb8f16ce801f4d2efea5b31e1b

SHA256
2cf654eeafa0d7a4ac319af6f382a1875761811478369d76ac25b3be1b7aaec8

SHA512
9bf4a666596e0b536cedec38aa681cbafaf3691108c6310fbe9fa5bd96fdacf4102c7de206ba8544cec0f961d62385c4b135641a39c62c8f9bc23ad3f3004b51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5f6ae22267fe44c1cb3e7e7265aefafb

SHA1
1c05c38e7362fc832153f8819443b39049b93403

SHA256
85cd124d68a879b78e3aee746552b31027a9f4da03f39e276e1ed2759979e657

SHA512
b79898be372e305f6529397e9d908e6253aa5f284106e638e2383dd307a6cf245bc01e4db22ae7fe8407876ab000ee76e411a920c8a1bf9a100d7ebd2f8bd851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b865f58ef4c57f90927c9c949eb97be1

SHA1
8f70fa7e83bc19202ca0fe757a4b2fb81b609e6e

SHA256
f1f18ec973dc3e628e7171bbfc64aef763abfa37bb5808d6941f6e3f89d33088

SHA512
13dbb3727fc85095c12408ae019caaceab272d748d99213aa7e63b94b8cd6b916fb84c1402fe55a2b24f68fc1584cb19597cd9e160796f8551ae22f47eb3b02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4b47fc965b462174e5bc06da89059f39

SHA1
fe062fa61bbb70106365a6c3c2f3d5d79b2c9791

SHA256
ddda95d32b6a5deb50e230f13c1f602852300bc850b8fb4d81a98215fd4b36ea

SHA512
c727848b02952f69071938b460483802c666411504ec73ffeeef3626cb415e264038a9142c404a779063d6fcdc6f0d3ab4dc19758d96fb96b92159f19e3ffd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
375KB

MD5
8e4f8329f0837d6a3801dd96973a05fe

SHA1
7309226e370a33000c08653504f2ac5786944b2b

SHA256
0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

SHA512
9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\VCRUNTIME140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_hashlib.pyd
Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_queue.pyd
Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\_ssl.pyd
Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\base_library.zip
Filesize
1.8MB

MD5
d271ba9b8bffd25395083cccf6fc17b9

SHA1
a2970f5991f41af61176e1f184287717ac7eb8b5

SHA256
9226f0ca49d97923deb30845e664fe17e14b3e3b084ea9a4b5c63bb07fdfc8ee

SHA512
86e8b13ed396a27c985d1c521af341db7e7dfb8e4c7ea70481680ddea1ddea9d1548c03d302b4f17cecab70bbc585837ceff4cd33105af1310bfaa249c878136

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\libcrypto-3.dll
Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22922\python311.dll
Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwctnqy5.nkm.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\check .exe
Filesize
8.6MB

MD5
d74eb99109dc495ab735264ba68edb06

SHA1
a7b5b1471c2e8f46d3e3d5340435d8a148fd285d

SHA256
26789e493fb9cc881d40e0eed7609fd390eb76196c91c4fc7be9ac7cbb11b41a

SHA512
b715d226c70edfa5b413e7989a0f56ee4c5765b16f273f04bdfd6afb11fd1ba02638aa08d5f47e340eabab0397a3f300618cbcb2d49a921734b3bcfd09e0f643

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaqrtayk.inf
Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
163KB

MD5
c833287873afe73c333638e4d187c666

SHA1
4aa5686878ed71c4d27996449854e63107165b98

SHA256
a9a387bafca70c8bce39473ee63df9fb439d15ba83b6b26e84f91fc920c1f39f

SHA512
a949d0d6143405f3bb98589e67856a5971a8b23d35536b13ad3aae4b51c53de256315d8deaf609f49e8fe9ccf39e59e95b0cecef2619d5d08f3059a9254ae006

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
252KB

MD5
e5d01a5a8cc5c5ca9a5329459814c91a

SHA1
00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

SHA256
612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

SHA512
2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
Filesize
11KB

MD5
10d90137afcca51c429a2c0aa78c92d6

SHA1
c7cb2762e0a31b06aaca0c440db5556fd23df24f

SHA256
44a4f73cc6a5a89208372ded41ed5e3cecc8bf2064ee1224275f21061dae11a1

SHA512
c914381e197450f3e576d3c77f103796be594444499ff2397e0bb74f9249baff973ea5c66ab42540835e060ad6032694fc2b8d01c95795d71adf6f1c91d000b0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\_bz2.pyd
Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\_ctypes.pyd
Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\_lzma.pyd
Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\_socket.pyd
Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\charset_normalizer\md.cp311-win_amd64.pyd
Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\libssl-3.dll
Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\select.pyd
Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22922\unicodedata.pyd
Filesize
1.1MB

MD5
1905b5d0f945499441e8cd58eb123d86

SHA1
117e584e6fcc0e8cfc8e24e3af527999f14bac30

SHA256
b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532

SHA512
ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

Download Submit
memory/500-0-0x00007FF8BB285000-0x00007FF8BB286000-memory.dmp

Filesize
4KB

Download
memory/500-38-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download
memory/500-1-0x000000001C7B0000-0x000000001C856000-memory.dmp

Filesize
664KB

Download
memory/500-2-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download
memory/500-3-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download
memory/500-4-0x000000001D160000-0x000000001D62E000-memory.dmp

Filesize
4.8MB

Download
memory/500-5-0x000000001C960000-0x000000001C9FC000-memory.dmp

Filesize
624KB

Download
memory/1000-119-0x0000000002900000-0x0000000002908000-memory.dmp

Filesize
32KB

Download
memory/1000-120-0x000000001B5D0000-0x000000001B5DC000-memory.dmp

Filesize
48KB

Download
memory/2456-166-0x0000020F305D0000-0x0000020F30646000-memory.dmp

Filesize
472KB

Download
memory/3088-140-0x000001BD3D990000-0x000001BD3D9B2000-memory.dmp

Filesize
136KB

Download
memory/4116-16-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download
memory/4116-17-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download
memory/4116-19-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download
memory/4116-37-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download
memory/4412-20-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download
memory/4412-26-0x00007FF8BAFD0000-0x00007FF8BB970000-memory.dmp

Filesize
9.6MB

Download