njrat | 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4

Analysis

max time kernel
300s
max time network
297s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
Size

9.0MB
MD5

8e575057308494a02213dd094240048f
SHA1

e14cb5b49926f48417fd3b3ce55282c20f0e2f41
SHA256

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4
SHA512

e50a74e824d4e1050893b4d19f63ce4298a0679d982d42b3a49e74fb6fa1664f29e26e24738263aca364a3bffa9659caa98149147a3bb1d2ca37f42a531db3ea
SSDEEP

196608:Y0jlDwGcsAgejtcGfcY3gtAXSdyowjcOSP9FtCNb:1k3meBcGfdrSNm47CNb

Score

10^/10

njrat hacked evasion execution persistence pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

icpanel.hackcrack.io:40544

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3732	powershell.exe
4948	powershell.exe
4156	powershell.exe
2256	powershell.exe
1480	powershell.exe
2812	powershell.exe
4948	powershell.exe
4156	powershell.exe
2256	powershell.exe
1480	powershell.exe
2812	powershell.exe
3732	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2352 netsh.exe

pid	process
2352	netsh.exe

Executes dropped EXE 10 IoCs

Processes:

Setup.exeSetup.execheck .exesvchost.execheck .exesvchost.exeexplorer.exeexplorer.exeversion.exeexplorer.exe

pid	process
2776	Setup.exe
2788	Setup.exe
1700	check .exe
3724	svchost.exe
1160	check .exe
3812	svchost.exe
4100	explorer.exe
3960	explorer.exe
5092	version.exe
1676	explorer.exe

Loads dropped DLL 16 IoCs

Processes:

check .exe

pid	process
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe
1160	check .exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Setup.exeSetup.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\check .exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3656 taskkill.exe

pid	process
3656	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe
4100	explorer.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

svchost.exesvchost.exeexplorer.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3724	svchost.exe
Token: SeDebugPrivilege	3812	svchost.exe
Token: SeDebugPrivilege	4100	explorer.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe
Token: 33	1676	explorer.exe
Token: SeIncBasePriorityPrivilege	1676	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

4100 explorer.exe
4100 explorer.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exeSetup.execheck .exeSetup.exesvchost.exeexplorer.exesvchost.exeversion.execmd.execmd.execmd.execmd.execmd.execmd.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3360 wrote to memory of 2776	3360	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 3360 wrote to memory of 2776	3360	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 3360 wrote to memory of 2788	3360	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 3360 wrote to memory of 2788	3360	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	Setup.exe
PID 3360 wrote to memory of 1700	3360	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 3360 wrote to memory of 1700	3360	253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe	check .exe
PID 2788 wrote to memory of 3724	2788	Setup.exe	svchost.exe
PID 2788 wrote to memory of 3724	2788	Setup.exe	svchost.exe
PID 1700 wrote to memory of 1160	1700	check .exe	check .exe
PID 1700 wrote to memory of 1160	1700	check .exe	check .exe
PID 2776 wrote to memory of 3812	2776	Setup.exe	svchost.exe
PID 2776 wrote to memory of 3812	2776	Setup.exe	svchost.exe
PID 3812 wrote to memory of 4100	3812	svchost.exe	explorer.exe
PID 3812 wrote to memory of 4100	3812	svchost.exe	explorer.exe
PID 4100 wrote to memory of 1484	4100	explorer.exe	cmstp.exe
PID 4100 wrote to memory of 1484	4100	explorer.exe	cmstp.exe
PID 3724 wrote to memory of 3960	3724	svchost.exe	explorer.exe
PID 3724 wrote to memory of 3960	3724	svchost.exe	explorer.exe
PID 5092 wrote to memory of 3728	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 3728	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 4964	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 4964	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 4728	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 4728	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 1288	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 1288	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 4700	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 4700	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 388	5092	version.exe	cmd.exe
PID 5092 wrote to memory of 388	5092	version.exe	cmd.exe
PID 3728 wrote to memory of 3732	3728	cmd.exe	powershell.exe
PID 3728 wrote to memory of 3732	3728	cmd.exe	powershell.exe
PID 4964 wrote to memory of 4948	4964	cmd.exe	powershell.exe
PID 4964 wrote to memory of 4948	4964	cmd.exe	powershell.exe
PID 4700 wrote to memory of 4156	4700	cmd.exe	powershell.exe
PID 4700 wrote to memory of 4156	4700	cmd.exe	powershell.exe
PID 1288 wrote to memory of 2256	1288	cmd.exe	powershell.exe
PID 1288 wrote to memory of 2256	1288	cmd.exe	powershell.exe
PID 388 wrote to memory of 1480	388	cmd.exe	powershell.exe
PID 388 wrote to memory of 1480	388	cmd.exe	powershell.exe
PID 4728 wrote to memory of 2812	4728	cmd.exe	powershell.exe
PID 4728 wrote to memory of 2812	4728	cmd.exe	powershell.exe
PID 3960 wrote to memory of 1676	3960	explorer.exe	explorer.exe
PID 3960 wrote to memory of 1676	3960	explorer.exe	explorer.exe
PID 1676 wrote to memory of 2352	1676	explorer.exe	netsh.exe
PID 1676 wrote to memory of 2352	1676	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
"C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\tt0ku0ju.inf
5⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:2352

C:\Users\Admin\AppData\Local\Temp\check .exe
"C:\Users\Admin\AppData\Local\Temp\check .exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\check .exe
"C:\Users\Admin\AppData\Local\Temp\check .exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log
Filesize
408B

MD5
b086782ac488892b614985f9355a4979

SHA1
85f1537da0120829dcabae7c4d6334e614c738eb

SHA256
196110ae45d16c909675bf3106c8794312b7b5520c2555842481dc0c9bd5a88d

SHA512
15401e81b4aaca10b999b68858d05f1e410ea7417b5bbabb22e4f3a487e714bdedf430eec92a154444ea4f0844b70052a8e4dd0be80b9cc35d1fc189a41b55a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log
Filesize
676B

MD5
38cb0fee80ab2ca7847812a3b7c0a38e

SHA1
f8377b86a0dd4f4a36ef2d8328cd0407bafdca4c

SHA256
71fd0b006b21e9b88498e3f7f2a8b6c297dd37810b323b4d2d82f0f16866df80

SHA512
48be591b05e4103491a477b23e586bbb3428b3d10cc9301f20704819bac0f3101ceb8b782ace49400bc0b8ed84d8a24f4cf22b49c4f49096ff2a021e09672950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log
Filesize
588B

MD5
74cb6d78314d7fdaaf7119fe006bcfd9

SHA1
be787e0eb70c3a8732dffecae56f4002e5b16f75

SHA256
a42326016fe054353c71343d7c48e072d30f7426503637175add202f5b20947b

SHA512
31f4c81ccb1788f242f2fbd3889c532f929a64f94cdd54687814e2e9637951122afe7c451abf176adfa7328044ceac0758ddadf541a79f5b033400129851dd90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
375KB

MD5
8e4f8329f0837d6a3801dd96973a05fe

SHA1
7309226e370a33000c08653504f2ac5786944b2b

SHA256
0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

SHA512
9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\VCRUNTIME140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\_bz2.pyd
Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\_ctypes.pyd
Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\_hashlib.pyd
Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\_lzma.pyd
Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\_queue.pyd
Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\_socket.pyd
Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\_ssl.pyd
Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\base_library.zip
Filesize
1.8MB

MD5
d271ba9b8bffd25395083cccf6fc17b9

SHA1
a2970f5991f41af61176e1f184287717ac7eb8b5

SHA256
9226f0ca49d97923deb30845e664fe17e14b3e3b084ea9a4b5c63bb07fdfc8ee

SHA512
86e8b13ed396a27c985d1c521af341db7e7dfb8e4c7ea70481680ddea1ddea9d1548c03d302b4f17cecab70bbc585837ceff4cd33105af1310bfaa249c878136

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\charset_normalizer\md.cp311-win_amd64.pyd
Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\libcrypto-3.dll
Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\libssl-3.dll
Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\python311.dll
Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\select.pyd
Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17002\unicodedata.pyd
Filesize
1.1MB

MD5
1905b5d0f945499441e8cd58eb123d86

SHA1
117e584e6fcc0e8cfc8e24e3af527999f14bac30

SHA256
b1788b81fa160e5120451f9252c7745cdde98b8ce59bf273a3dd867bb034c532

SHA512
ed88cd7e3259239a0c8d42d95fa2447fc454a944c849fa97449ad88871236fefdafe21dbfa6e9b5d8a54ddf1d5281ec34d314cb93d47ce7b13912a69d284f522

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_saqxmelt.54g.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\check .exe
Filesize
8.6MB

MD5
d74eb99109dc495ab735264ba68edb06

SHA1
a7b5b1471c2e8f46d3e3d5340435d8a148fd285d

SHA256
26789e493fb9cc881d40e0eed7609fd390eb76196c91c4fc7be9ac7cbb11b41a

SHA512
b715d226c70edfa5b413e7989a0f56ee4c5765b16f273f04bdfd6afb11fd1ba02638aa08d5f47e340eabab0397a3f300618cbcb2d49a921734b3bcfd09e0f643

Download Submit
C:\Users\Admin\AppData\Local\Temp\tt0ku0ju.inf
Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
163KB

MD5
c833287873afe73c333638e4d187c666

SHA1
4aa5686878ed71c4d27996449854e63107165b98

SHA256
a9a387bafca70c8bce39473ee63df9fb439d15ba83b6b26e84f91fc920c1f39f

SHA512
a949d0d6143405f3bb98589e67856a5971a8b23d35536b13ad3aae4b51c53de256315d8deaf609f49e8fe9ccf39e59e95b0cecef2619d5d08f3059a9254ae006

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip
Filesize
177KB

MD5
8fb86ff3840ca7ef4656f0e3bc082824

SHA1
1a490e6b4fda8b2987f9ac4b29ee0c6bcbbd0ce2

SHA256
1aaf14aa698f2057086ea4e7ff74a313bd6e2fbfe93d11179384682f2c384054

SHA512
363b09b52578509195c48d503a37f03400fa9c4f1f378e7ec557a622d8ec470d27c494fd82efe448075b3ec5ad1e21d0b3ca56226dc44324910571ae8cf13800

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
252KB

MD5
e5d01a5a8cc5c5ca9a5329459814c91a

SHA1
00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

SHA256
612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

SHA512
2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip
Filesize
124KB

MD5
287c4ef4138442be3996d52619f9e7d3

SHA1
2a64f031df9e950aec105ac2eaf6cf0932bda940

SHA256
686f17451faf52211e0b477c8b4dee8666eebc7332e5b429fa7f478aeece5b00

SHA512
a980b88c60bc4f5d8a6a233a24faf20aa4de697475492945208ddbe628f55a6f4a88ca945f6d1fdf147bd62e02cb103537b56083413e82763f74fcb9696cb6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
Filesize
11KB

MD5
10d90137afcca51c429a2c0aa78c92d6

SHA1
c7cb2762e0a31b06aaca0c440db5556fd23df24f

SHA256
44a4f73cc6a5a89208372ded41ed5e3cecc8bf2064ee1224275f21061dae11a1

SHA512
c914381e197450f3e576d3c77f103796be594444499ff2397e0bb74f9249baff973ea5c66ab42540835e060ad6032694fc2b8d01c95795d71adf6f1c91d000b0

Download Submit
memory/2776-34-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/2776-25-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/2776-29-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/2776-87-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/2788-36-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/2788-67-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/3360-0-0x00007FFFFDA55000-0x00007FFFFDA56000-memory.dmp

Filesize
4KB

Download
memory/3360-35-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/3360-2-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/3360-1-0x000000001BF20000-0x000000001BFC6000-memory.dmp

Filesize
664KB

Download
memory/3360-3-0x000000001C850000-0x000000001CD1E000-memory.dmp

Filesize
4.8MB

Download
memory/3360-4-0x000000001C0C0000-0x000000001C15C000-memory.dmp

Filesize
624KB

Download
memory/3360-5-0x00007FFFFD7A0000-0x00007FFFFE141000-memory.dmp

Filesize
9.6MB

Download
memory/3960-127-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

Filesize
48KB

Download
memory/4100-126-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/4948-136-0x00000181F8D90000-0x00000181F8DB2000-memory.dmp

Filesize
136KB

Download