njrat | c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F2LNJ_loader.exe
Size

5.4MB
MD5

916f7dea6831485387d70b0891455e65
SHA1

176e995cc2584d7c9703b2beee0994dcc4be91d5
SHA256

c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2
SHA512

ba5c40e6416a53c88f5b5d7e0ce346956ef6bd0aebed355df8070ebb71dda78125945fe1cdca87caa29a2b5d98c437bafd228396a516c91f764256e54556f0e4
SSDEEP

98304:m52dhBZTv0sGVD+Oq7j3JQ9oQSqEac8JgZSeC3FSDsa7V578kXHoujwCl1um:+sBtGVD+OoUq8+SZ1hAVpRRjw6Q

Score

10^/10

njrat umbral xworm hacked discovery evasion execution persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

147.185.221.20:49236

Mutex

6a8a3b6e5450a823d542e748a454aa4c

Attributes

reg_key
6a8a3b6e5450a823d542e748a454aa4c
splitter
|'|'|

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b57-18.dat	family_umbral
behavioral2/memory/1780-31-0x000001D9079C0000-0x000001D907A00000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b5a-43.dat	family_xworm
behavioral2/memory/3944-57-0x0000000000170000-0x0000000000180000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2292	powershell.exe
4356	powershell.exe
1684	powershell.exe
232	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1288	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	F2LNJ_loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 10 IoCs

pid	Process
1788	Server.exe
1780	Maple.exe
840	Server.exe
640	loader.exe
3944	conhost.exe
3276	loader.exe
2320	Maple.exe
4904	server.exe
3956	Ondrive.exe
4420	Ondrive.exe

Loads dropped DLL 9 IoCs

pid	Process
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3356	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3944	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe
3276	loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	conhost.exe
Token: SeDebugPrivilege	1780	Maple.exe
Token: SeIncreaseQuotaPrivilege	1288	wmic.exe
Token: SeSecurityPrivilege	1288	wmic.exe
Token: SeTakeOwnershipPrivilege	1288	wmic.exe
Token: SeLoadDriverPrivilege	1288	wmic.exe
Token: SeSystemProfilePrivilege	1288	wmic.exe
Token: SeSystemtimePrivilege	1288	wmic.exe
Token: SeProfSingleProcessPrivilege	1288	wmic.exe
Token: SeIncBasePriorityPrivilege	1288	wmic.exe
Token: SeCreatePagefilePrivilege	1288	wmic.exe
Token: SeBackupPrivilege	1288	wmic.exe
Token: SeRestorePrivilege	1288	wmic.exe
Token: SeShutdownPrivilege	1288	wmic.exe
Token: SeDebugPrivilege	1288	wmic.exe
Token: SeSystemEnvironmentPrivilege	1288	wmic.exe
Token: SeRemoteShutdownPrivilege	1288	wmic.exe
Token: SeUndockPrivilege	1288	wmic.exe
Token: SeManageVolumePrivilege	1288	wmic.exe
Token: 33	1288	wmic.exe
Token: 34	1288	wmic.exe
Token: 35	1288	wmic.exe
Token: 36	1288	wmic.exe
Token: SeIncreaseQuotaPrivilege	1288	wmic.exe
Token: SeSecurityPrivilege	1288	wmic.exe
Token: SeTakeOwnershipPrivilege	1288	wmic.exe
Token: SeLoadDriverPrivilege	1288	wmic.exe
Token: SeSystemProfilePrivilege	1288	wmic.exe
Token: SeSystemtimePrivilege	1288	wmic.exe
Token: SeProfSingleProcessPrivilege	1288	wmic.exe
Token: SeIncBasePriorityPrivilege	1288	wmic.exe
Token: SeCreatePagefilePrivilege	1288	wmic.exe
Token: SeBackupPrivilege	1288	wmic.exe
Token: SeRestorePrivilege	1288	wmic.exe
Token: SeShutdownPrivilege	1288	wmic.exe
Token: SeDebugPrivilege	1288	wmic.exe
Token: SeSystemEnvironmentPrivilege	1288	wmic.exe
Token: SeRemoteShutdownPrivilege	1288	wmic.exe
Token: SeUndockPrivilege	1288	wmic.exe
Token: SeManageVolumePrivilege	1288	wmic.exe
Token: 33	1288	wmic.exe
Token: 34	1288	wmic.exe
Token: 35	1288	wmic.exe
Token: 36	1288	wmic.exe
Token: SeDebugPrivilege	3276	loader.exe
Token: SeDebugPrivilege	2320	Maple.exe
Token: SeIncreaseQuotaPrivilege	4428	wmic.exe
Token: SeSecurityPrivilege	4428	wmic.exe
Token: SeTakeOwnershipPrivilege	4428	wmic.exe
Token: SeLoadDriverPrivilege	4428	wmic.exe
Token: SeSystemProfilePrivilege	4428	wmic.exe
Token: SeSystemtimePrivilege	4428	wmic.exe
Token: SeProfSingleProcessPrivilege	4428	wmic.exe
Token: SeIncBasePriorityPrivilege	4428	wmic.exe
Token: SeCreatePagefilePrivilege	4428	wmic.exe
Token: SeBackupPrivilege	4428	wmic.exe
Token: SeRestorePrivilege	4428	wmic.exe
Token: SeShutdownPrivilege	4428	wmic.exe
Token: SeDebugPrivilege	4428	wmic.exe
Token: SeSystemEnvironmentPrivilege	4428	wmic.exe
Token: SeRemoteShutdownPrivilege	4428	wmic.exe
Token: SeUndockPrivilege	4428	wmic.exe
Token: SeManageVolumePrivilege	4428	wmic.exe
Token: 33	4428	wmic.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1788	4928	F2LNJ_loader.exe	86
PID 4928 wrote to memory of 1788	4928	F2LNJ_loader.exe	86
PID 4928 wrote to memory of 1780	4928	F2LNJ_loader.exe	87
PID 4928 wrote to memory of 1780	4928	F2LNJ_loader.exe	87
PID 1788 wrote to memory of 840	1788	Server.exe	89
PID 1788 wrote to memory of 840	1788	Server.exe	89
PID 1788 wrote to memory of 840	1788	Server.exe	89
PID 4928 wrote to memory of 640	4928	F2LNJ_loader.exe	88
PID 4928 wrote to memory of 640	4928	F2LNJ_loader.exe	88
PID 1788 wrote to memory of 3944	1788	Server.exe	90
PID 1788 wrote to memory of 3944	1788	Server.exe	90
PID 1780 wrote to memory of 1288	1780	Maple.exe	92
PID 1780 wrote to memory of 1288	1780	Maple.exe	92
PID 640 wrote to memory of 3276	640	loader.exe	95
PID 640 wrote to memory of 3276	640	loader.exe	95
PID 3276 wrote to memory of 4504	3276	loader.exe	96
PID 3276 wrote to memory of 4504	3276	loader.exe	96
PID 4504 wrote to memory of 2320	4504	cmd.exe	97
PID 4504 wrote to memory of 2320	4504	cmd.exe	97
PID 2320 wrote to memory of 4428	2320	Maple.exe	98
PID 2320 wrote to memory of 4428	2320	Maple.exe	98
PID 3944 wrote to memory of 2292	3944	conhost.exe	100
PID 3944 wrote to memory of 2292	3944	conhost.exe	100
PID 3944 wrote to memory of 4356	3944	conhost.exe	102
PID 3944 wrote to memory of 4356	3944	conhost.exe	102
PID 3944 wrote to memory of 1684	3944	conhost.exe	104
PID 3944 wrote to memory of 1684	3944	conhost.exe	104
PID 3944 wrote to memory of 232	3944	conhost.exe	106
PID 3944 wrote to memory of 232	3944	conhost.exe	106
PID 3944 wrote to memory of 3356	3944	conhost.exe	108
PID 3944 wrote to memory of 3356	3944	conhost.exe	108
PID 840 wrote to memory of 4904	840	Server.exe	110
PID 840 wrote to memory of 4904	840	Server.exe	110
PID 840 wrote to memory of 4904	840	Server.exe	110
PID 4904 wrote to memory of 1288	4904	server.exe	111
PID 4904 wrote to memory of 1288	4904	server.exe	111
PID 4904 wrote to memory of 1288	4904	server.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\F2LNJ_loader.exe
"C:\Users\Admin\AppData\Local\Temp\F2LNJ_loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Roaming\Server.exe
    "C:\Users\Admin\AppData\Roaming\Server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1288
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:232
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3356
- C:\Users\Admin\AppData\Local\Temp\Maple.exe
  "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start maple.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\Maple.exe
        
        maple.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
- Executes dropped EXE
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Maple.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ondrive.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maple.exe

Filesize
227KB

MD5
550b445ad1a44d1f23f7155fae400db6

SHA1
cb006a53156285fdef3a0b33a4a08f534cd3bab7

SHA256
d223b3918e8bc3bab1d23fdc2e306be1c6587d3ab8f324fc377e37585387884e

SHA512
909f31f24672ffc5542ac42f344eb6020bcdfdfac9ac13d5672fe7ed22e686b06385d15709f1f83b576b1dade591ad40eb429ef076d07f4597235cd95a679fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sl30b11e.oxx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.3MB

MD5
e630d72436e3dc1be7763de7f75b7adf

SHA1
40e07b22ab8b69e6827f90e20aeac35757899a23

SHA256
59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e

SHA512
82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\loader.exe

Filesize
8.5MB

MD5
7e528c7d750373f489ed3983d28a5279

SHA1
805d666d7c3f98b0f2f21f8ded1ebc801bb87028

SHA256
7b025b56f3cec113e0569dfa37fa593f64d15c42116d321452500c03df105b8e

SHA512
40b4809678c6b17fcd389038464d32752058e60ed446d941698fee561641e740652bd305e2a6fe80cdd6171807fe6fbc22b99e4eaccd4c699acaca39b7328ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\psutil\_psutil_windows.pyd

Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_640_133730308902130746\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
memory/1780-31-0x000001D9079C0000-0x000001D907A00000-memory.dmp

Filesize
256KB

Download
memory/1788-58-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/1788-25-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/1788-23-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/2292-141-0x000001B57D610000-0x000001B57D632000-memory.dmp

Filesize
136KB

Download
memory/3944-57-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/4928-0-0x00007FFB82543000-0x00007FFB82545000-memory.dmp

Filesize
8KB

Download
memory/4928-56-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/4928-10-0x00007FFB82540000-0x00007FFB83001000-memory.dmp

Filesize
10.8MB

Download
memory/4928-1-0x0000000000620000-0x0000000000B80000-memory.dmp

Filesize
5.4MB

Download