njrat | 1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

43KB
MD5

d263ae994c7828269ff7d3a5ec76a11b
SHA1

4c9dcda66fd3004be1b8e1eec4f397ddea9962d5
SHA256

1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98
SHA512

93051cab42a41be27724206c321bff81a5389e6d4bb7038f2d7fd1bce6dd14ac9c3c1bedf48b0e30c88e0e8efaff557a26e848ef24e408799ab7738be3ebdc53
SSDEEP

384:lZy46NUst+3gUy6jjHK6qEsjtJEzQIij+ZsNO3PlpJKkkjh/TzF7pWna/greT0pe:vAwQh6/H1ujGuXQ/oj3+L

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

19.ip.gl.ply.gg:54921

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	windlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	windlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1148	windlogon.exe
1504	Server.exe
2480	Server.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windlogon.exe\" .."	windlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windlogon.exe\" .."	windlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2664	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1056	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2548	Server.exe
1148	windlogon.exe
1056	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	windlogon.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: 33	1148	windlogon.exe
Token: SeIncBasePriorityPrivilege	1148	windlogon.exe
Token: 33	1472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1472	AUDIODG.EXE
Token: 33	1472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1472	AUDIODG.EXE
Token: 33	1056	vlc.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe
1056	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1056	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1148	2548	Server.exe	28
PID 2548 wrote to memory of 1148	2548	Server.exe	28
PID 2548 wrote to memory of 1148	2548	Server.exe	28
PID 2548 wrote to memory of 1148	2548	Server.exe	28
PID 1148 wrote to memory of 2664	1148	windlogon.exe	29
PID 1148 wrote to memory of 2664	1148	windlogon.exe	29
PID 1148 wrote to memory of 2664	1148	windlogon.exe	29
PID 1148 wrote to memory of 2664	1148	windlogon.exe	29
PID 2312 wrote to memory of 1504	2312	taskeng.exe	35
PID 2312 wrote to memory of 1504	2312	taskeng.exe	35
PID 2312 wrote to memory of 1504	2312	taskeng.exe	35
PID 2312 wrote to memory of 1504	2312	taskeng.exe	35
PID 1148 wrote to memory of 1800	1148	windlogon.exe	36
PID 1148 wrote to memory of 1800	1148	windlogon.exe	36
PID 1148 wrote to memory of 1800	1148	windlogon.exe	36
PID 1148 wrote to memory of 1800	1148	windlogon.exe	36
PID 1800 wrote to memory of 376	1800	chrome.exe	37
PID 1800 wrote to memory of 376	1800	chrome.exe	37
PID 1800 wrote to memory of 376	1800	chrome.exe	37
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 480	1800	chrome.exe	38
PID 1800 wrote to memory of 2804	1800	chrome.exe	39
PID 1800 wrote to memory of 2804	1800	chrome.exe	39
PID 1800 wrote to memory of 2804	1800	chrome.exe	39
PID 1800 wrote to memory of 1628	1800	chrome.exe	40
PID 1800 wrote to memory of 1628	1800	chrome.exe	40
PID 1800 wrote to memory of 1628	1800	chrome.exe	40

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\windlogon.exe
  "C:\Users\Admin\AppData\Local\Temp\windlogon.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - Creates scheduled task(s)
    PID:2664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.webp
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6939758,0x7fef6939768,0x7fef6939778
      4⤵
      PID:376
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1328,i,4840431984279389404,15753470751389957253,131072 /prefetch:2
      4⤵
      PID:480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1328,i,4840431984279389404,15753470751389957253,131072 /prefetch:8
      4⤵
      PID:2804
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1328,i,4840431984279389404,15753470751389957253,131072 /prefetch:8
      4⤵
      PID:1628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2096 --field-trial-handle=1328,i,4840431984279389404,15753470751389957253,131072 /prefetch:1
      4⤵
      PID:1784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2104 --field-trial-handle=1328,i,4840431984279389404,15753470751389957253,131072 /prefetch:1
      4⤵
      PID:620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1328,i,4840431984279389404,15753470751389957253,131072 /prefetch:2
      4⤵
      PID:1696
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 --field-trial-handle=1328,i,4840431984279389404,15753470751389957253,131072 /prefetch:8
      4⤵
      PID:1560
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\.mp4"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1056

C:\Windows\system32\taskeng.exe
taskeng.exe {2DB4CB81-4710-45C4-B9FE-2EB610878A87} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:2480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x24c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3a9e1acf-0998-42e3-9227-3e1ce8fd2cb6.tmp

Filesize
281KB

MD5
880569058510f394822e57fb91c14d10

SHA1
300e47ed0a1c7d7147abff1f0ab54a314a5fc672

SHA256
4145557e24ede390fe5416328827b72f99d0bea3f8d997b45f51505255d4c802

SHA512
2a38b50c671ab95348ec56601aa6de8b8192b0cd2a331f723fad1dd1fcf2aca04b9efd3bceabf0264c77b85af2e95f018607720ad897a7d5ab5a186a701969f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5b860e5cf92c823771371da14051fc76

SHA1
88e94b252822ed89b77cfda99be7de97ef0c875b

SHA256
3c6897ed6841bbfe96afdb78068e6814839485bcd408e17dee34953a7b1910af

SHA512
0b509e6b27c9b24f1f7fc719571dfd3fd234596448f709b8bb271cdfde1cf25d6bb6730d7f58cb0471a3c6c9b956044543b545816eb954d9d0b57d1f99bfac0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
f29790c2f12dda518e62799c8ab1cbd9

SHA1
8e99abf02e9edeb5b4fd1b4e5e4ef432dfc52dcb

SHA256
f01e6e2806725e05bf491b6ad7a06b2d4fb2fe17c0c71821ae6c8306e9a7591b

SHA512
5bc7e812758bcedc6a3aa305d9c8012766b5ff4ca93d8ef0bf9ba5f539a78cc3ae91b033263e9011175b371637f8a8178303a8b82f362d9928e712a1e8e0002c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.mp4

Filesize
312KB

MD5
e8653029eedb0e8e72a610d15c77907c

SHA1
1eb9f618ef3d2f2711e166721d3f5047313073e5

SHA256
9c066096d1c6c277bb85c2c1e2f1371a964ff544b8187658cd35a79544f30c1b

SHA512
6665da01a2b1923c0064856f60d99114dfe266a2660cd749da195d19b42b8e2e2c93232b548029e725b09d5657bb6c3a609b806086d522751e185f3925ddb915

Download Submit
C:\Users\Admin\AppData\Local\Temp\.webp

Filesize
19KB

MD5
e5109f42315507a84643e811310a67c3

SHA1
b6e70e1b2017db81fcf56ac4311441a61f417c92

SHA256
58121518282b86cb2dc39c68831fdb086498658a0276dd13039d175fe5716a3c

SHA512
70b0a62b34d6d86a31ce7ffaca83172e87ae0c14a5044d849cb9e52093a1f2fbdfd2e920621b607d5937b6340ed9fda3cf1f773c3e9553a20a00a533eeed7212

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
86KB

MD5
ba98b16195f42ec57a11625d07069b32

SHA1
5ceb0074aea25863a9a1ba07cb622b244852b700

SHA256
b33b872c1b4eb86346df012c19d0383832f8b2601e4ea221f6a439df423fc277

SHA512
aab588176794399d021357736a31012bfa5f0e52ffdd437b02d590261a76032caaa29ac32fbb3919b835b54a230cc2e9d1951fa22d4b320ca6d38279b1399aef

Download Submit
\Users\Admin\AppData\Local\Temp\windlogon.exe

Filesize
43KB

MD5
d263ae994c7828269ff7d3a5ec76a11b

SHA1
4c9dcda66fd3004be1b8e1eec4f397ddea9962d5

SHA256
1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98

SHA512
93051cab42a41be27724206c321bff81a5389e6d4bb7038f2d7fd1bce6dd14ac9c3c1bedf48b0e30c88e0e8efaff557a26e848ef24e408799ab7738be3ebdc53

Download Submit
memory/1056-188-0x000007FEF67D0000-0x000007FEF67E1000-memory.dmp

Filesize
68KB

Download
memory/1056-194-0x000007FEF5FB0000-0x000007FEF6017000-memory.dmp

Filesize
412KB

Download
memory/1056-226-0x000007FEF6450000-0x000007FEF6706000-memory.dmp

Filesize
2.7MB

Download
memory/1056-222-0x000007FEEF4C0000-0x000007FEEF517000-memory.dmp

Filesize
348KB

Download
memory/1056-223-0x000007FEEF480000-0x000007FEEF4B4000-memory.dmp

Filesize
208KB

Download
memory/1056-219-0x000007FEF1830000-0x000007FEF18A4000-memory.dmp

Filesize
464KB

Download
memory/1056-221-0x000007FEEF520000-0x000007FEEF56E000-memory.dmp

Filesize
312KB

Download
memory/1056-220-0x000007FEEF590000-0x000007FEEF5A1000-memory.dmp

Filesize
68KB

Download
memory/1056-218-0x000007FEF1930000-0x000007FEF1977000-memory.dmp

Filesize
284KB

Download
memory/1056-217-0x000007FEF1980000-0x000007FEF19E1000-memory.dmp

Filesize
388KB

Download
memory/1056-207-0x000007FEF25B0000-0x000007FEF25C3000-memory.dmp

Filesize
76KB

Download
memory/1056-173-0x000007FEFAC90000-0x000007FEFACC4000-memory.dmp

Filesize
208KB

Download
memory/1056-172-0x000000013F950000-0x000000013FA48000-memory.dmp

Filesize
992KB

Download
memory/1056-175-0x000007FEFAD10000-0x000007FEFAD28000-memory.dmp

Filesize
96KB

Download
memory/1056-178-0x000007FEFAA00000-0x000007FEFAA17000-memory.dmp

Filesize
92KB

Download
memory/1056-177-0x000007FEFAAF0000-0x000007FEFAB01000-memory.dmp

Filesize
68KB

Download
memory/1056-174-0x000007FEF6450000-0x000007FEF6706000-memory.dmp

Filesize
2.7MB

Download
memory/1056-180-0x000007FEF7620000-0x000007FEF763D000-memory.dmp

Filesize
116KB

Download
memory/1056-181-0x000007FEF7600000-0x000007FEF7611000-memory.dmp

Filesize
68KB

Download
memory/1056-179-0x000007FEF7650000-0x000007FEF7661000-memory.dmp

Filesize
68KB

Download
memory/1056-176-0x000007FEFAB10000-0x000007FEFAB27000-memory.dmp

Filesize
92KB

Download
memory/1056-182-0x000007FEF5930000-0x000007FEF5B3B000-memory.dmp

Filesize
2.0MB

Download
memory/1056-184-0x000007FEF73F0000-0x000007FEF7431000-memory.dmp

Filesize
260KB

Download
memory/1056-185-0x000007FEF75D0000-0x000007FEF75F1000-memory.dmp

Filesize
132KB

Download
memory/1056-186-0x000007FEF73D0000-0x000007FEF73E8000-memory.dmp

Filesize
96KB

Download
memory/1056-187-0x000007FEF67F0000-0x000007FEF6801000-memory.dmp

Filesize
68KB

Download
memory/1056-216-0x000007FEF19F0000-0x000007FEF1A01000-memory.dmp

Filesize
68KB

Download
memory/1056-189-0x000007FEF67B0000-0x000007FEF67C1000-memory.dmp

Filesize
68KB

Download
memory/1056-190-0x000007FEF6430000-0x000007FEF644B000-memory.dmp

Filesize
108KB

Download
memory/1056-191-0x000007FEF6410000-0x000007FEF6421000-memory.dmp

Filesize
68KB

Download
memory/1056-192-0x000007FEF6050000-0x000007FEF6068000-memory.dmp

Filesize
96KB

Download
memory/1056-183-0x000007FEF4880000-0x000007FEF5930000-memory.dmp

Filesize
16.7MB

Download
memory/1056-193-0x000007FEF6020000-0x000007FEF6050000-memory.dmp

Filesize
192KB

Download
memory/1056-215-0x000007FEF1CC0000-0x000007FEF1DC6000-memory.dmp

Filesize
1.0MB

Download
memory/1056-195-0x000007FEF5D20000-0x000007FEF5D9C000-memory.dmp

Filesize
496KB

Download
memory/1056-196-0x000007FEF5F90000-0x000007FEF5FA1000-memory.dmp

Filesize
68KB

Download
memory/1056-197-0x000007FEF5CC0000-0x000007FEF5D17000-memory.dmp

Filesize
348KB

Download
memory/1056-199-0x000007FEF5F70000-0x000007FEF5F87000-memory.dmp

Filesize
92KB

Download
memory/1056-198-0x000007FEF4700000-0x000007FEF4880000-memory.dmp

Filesize
1.5MB

Download
memory/1056-201-0x000007FEF2C80000-0x000007FEF2E86000-memory.dmp

Filesize
2.0MB

Download
memory/1056-202-0x000007FEF5F10000-0x000007FEF5F22000-memory.dmp

Filesize
72KB

Download
memory/1056-203-0x000007FEF5C70000-0x000007FEF5CB2000-memory.dmp

Filesize
264KB

Download
memory/1056-200-0x000007FEF2E90000-0x000007FEF46FF000-memory.dmp

Filesize
24.4MB

Download
memory/1056-204-0x000007FEF2C30000-0x000007FEF2C7D000-memory.dmp

Filesize
308KB

Download
memory/1056-205-0x000007FEFABB0000-0x000007FEFABC0000-memory.dmp

Filesize
64KB

Download
memory/1056-206-0x000007FEF5EE0000-0x000007FEF5F0F000-memory.dmp

Filesize
188KB

Download
memory/1056-208-0x000007FEF2590000-0x000007FEF25A4000-memory.dmp

Filesize
80KB

Download
memory/1056-209-0x000007FEF2540000-0x000007FEF2590000-memory.dmp

Filesize
320KB

Download
memory/1056-210-0x000007FEF2050000-0x000007FEF2065000-memory.dmp

Filesize
84KB

Download
memory/1056-212-0x000007FEF1FE0000-0x000007FEF1FF3000-memory.dmp

Filesize
76KB

Download
memory/1056-214-0x000007FEF1FA0000-0x000007FEF1FB2000-memory.dmp

Filesize
72KB

Download
memory/1056-213-0x000007FEF1FC0000-0x000007FEF1FD1000-memory.dmp

Filesize
68KB

Download
memory/1056-211-0x000007FEF2020000-0x000007FEF2043000-memory.dmp

Filesize
140KB

Download
memory/1148-11-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/1148-12-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1148-13-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1148-16-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1148-17-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1148-21-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/1148-328-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/1504-20-0x0000000001360000-0x0000000001372000-memory.dmp

Filesize
72KB

Download
memory/2548-0-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2548-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-10-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download