njrat | 441be6f69dd6bdfafdf7fa4596ef37ac3a8bf6cce2b9b9154c5f2f39c71e3d97

Analysis

max time kernel
569s
max time network
558s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nigga.exe
Size

55KB
MD5

7a1624af489962ed1c60426a536e250c
SHA1

3ae27946c2dccb5ca0014d3b367dfb0b5f6bebc9
SHA256

441be6f69dd6bdfafdf7fa4596ef37ac3a8bf6cce2b9b9154c5f2f39c71e3d97
SHA512

a159818951c59d9eedccc70cc02dd5d65c8da7b0eebb5300d957614af8e71e64821bfcff3aa888a617f4cfccef4621c1534e70cd840753e04b733e7c71c652ca
SSDEEP

1536:B+oADn8fLNG/SbrKDD3wsNMDvXExI3pmjm:/ADncsqbeDD3wsNMDvXExI3pm

Score

10^/10

njrat bootkit discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

Nigga.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\310cce0cee234e77a00e8217080b1277.exe	Nigga.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\310cce0cee234e77a00e8217080b1277.exe	Nigga.exe

Executes dropped EXE 1 IoCs

Processes:

143ca1e43d8e45348ad62ed7fcbb0cdb.exe

pid	Process
2628	143ca1e43d8e45348ad62ed7fcbb0cdb.exe

Loads dropped DLL 1 IoCs

Processes:

Nigga.exe

pid	Process
2916	Nigga.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nigga.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\310cce0cee234e77a00e8217080b1277 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Nigga.exe\" .."	Nigga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\310cce0cee234e77a00e8217080b1277 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Nigga.exe\" .."	Nigga.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

Nigga.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Nigga.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetaskkill.execmd.exetaskkill.execmd.exetaskkill.exetaskkill.exeDllHost.exetaskkill.exetaskkill.exetaskkill.exeNigga.exeIEXPLORE.EXEtaskkill.exetaskkill.execmd.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.exetaskkill.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
1524	taskkill.exe
1780	taskkill.exe
2388	taskkill.exe
552	taskkill.exe
1952	taskkill.exe
2384	taskkill.exe
1800	taskkill.exe
928	taskkill.exe
2984	taskkill.exe
2332	taskkill.exe
1472	taskkill.exe
908	taskkill.exe
768	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00dc2627a328db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cbf3c76d306504c851fc6665c5fa6df00000000020000000000106600000001000020000000f77012d2038763f15ec8e43f0ab43bb9f407cd324120f200a2a8d74ec1fba351000000000e80000000020000200000001278097b5ca1f89e104e93615377647ab3d30dc0c20bf0492db38b205baf2c2d20000000bea45b9c7e527f565a987c3eada125e025d30f9db7e46dc0a340c458682ea80540000000797b562fc71756abc607eb60c69c6adf33feb77224d781ca1bc24d4e7c85980e6fd7598fd7e0cc973fc935aa6605a4aa3064f41b01b38d37ffb4c740f53e4427	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50FCF8C1-9496-11EF-988C-4E66A3E0FBF8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436217747"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cbf3c76d306504c851fc6665c5fa6df00000000020000000000106600000001000020000000509f3e116ccf68b19d4f07fdafa3d03b8f8097d4ad01016f20b4d94a8c6cc211000000000e80000000020000200000009a48bea4d0802989c5a1b61230a9eaf1720ea4682e15b54d411e704874f4acb390000000cb554a91a6e6e8a814590462331c4201745e6e41309b5b0d0d3bb1c0b4d8534a601c653a1f6b7ba7a36eae49ebd0c112ecc61aaf826e05a1a6fe4530ccecc9cfd2425fcbd942a9c989b090117a91c12acf35f2796976d6c5f51d22e7528210e3a4b228984cb53a546b27e2e8aecaa9d6474110829c53083e4d17f1c70f68219270939b69aad8f0de240bd5f2cb2f527940000000a54b0d2b0c4cf695bd48de8046e5c41425928dd1ce4a1e79af6f0a15c51adf50e751e2e37b3ea1c207c67b247d91225cf3502342962cd5a69e1406d10e1fa772	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff82000000000000000805000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Nigga.exe

pid	Process
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Nigga.exe

pid	Process
2916	Nigga.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Nigga.exeAUDIODG.EXEtaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	928	taskkill.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe
Token: 33	2916	Nigga.exe
Token: SeIncBasePriorityPrivilege	2916	Nigga.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Nigga.exeiexplore.exe

pid	Process
2916	Nigga.exe
2916	Nigga.exe
2916	Nigga.exe
1260	iexplore.exe
1260	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1260	iexplore.exe
1260	iexplore.exe
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Nigga.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2916 wrote to memory of 2628	2916	Nigga.exe	31
PID 2916 wrote to memory of 2628	2916	Nigga.exe	31
PID 2916 wrote to memory of 2628	2916	Nigga.exe	31
PID 2916 wrote to memory of 2628	2916	Nigga.exe	31
PID 2916 wrote to memory of 2888	2916	Nigga.exe	33
PID 2916 wrote to memory of 2888	2916	Nigga.exe	33
PID 2916 wrote to memory of 2888	2916	Nigga.exe	33
PID 2916 wrote to memory of 2888	2916	Nigga.exe	33
PID 2888 wrote to memory of 2388	2888	cmd.exe	35
PID 2888 wrote to memory of 2388	2888	cmd.exe	35
PID 2888 wrote to memory of 2388	2888	cmd.exe	35
PID 2888 wrote to memory of 2388	2888	cmd.exe	35
PID 2916 wrote to memory of 332	2916	Nigga.exe	37
PID 2916 wrote to memory of 332	2916	Nigga.exe	37
PID 2916 wrote to memory of 332	2916	Nigga.exe	37
PID 2916 wrote to memory of 332	2916	Nigga.exe	37
PID 332 wrote to memory of 552	332	cmd.exe	39
PID 332 wrote to memory of 552	332	cmd.exe	39
PID 332 wrote to memory of 552	332	cmd.exe	39
PID 332 wrote to memory of 552	332	cmd.exe	39
PID 2916 wrote to memory of 2264	2916	Nigga.exe	40
PID 2916 wrote to memory of 2264	2916	Nigga.exe	40
PID 2916 wrote to memory of 2264	2916	Nigga.exe	40
PID 2916 wrote to memory of 2264	2916	Nigga.exe	40
PID 2264 wrote to memory of 1952	2264	cmd.exe	42
PID 2264 wrote to memory of 1952	2264	cmd.exe	42
PID 2264 wrote to memory of 1952	2264	cmd.exe	42
PID 2264 wrote to memory of 1952	2264	cmd.exe	42
PID 2916 wrote to memory of 1356	2916	Nigga.exe	43
PID 2916 wrote to memory of 1356	2916	Nigga.exe	43
PID 2916 wrote to memory of 1356	2916	Nigga.exe	43
PID 2916 wrote to memory of 1356	2916	Nigga.exe	43
PID 1356 wrote to memory of 2384	1356	cmd.exe	45
PID 1356 wrote to memory of 2384	1356	cmd.exe	45
PID 1356 wrote to memory of 2384	1356	cmd.exe	45
PID 1356 wrote to memory of 2384	1356	cmd.exe	45
PID 2916 wrote to memory of 1012	2916	Nigga.exe	46
PID 2916 wrote to memory of 1012	2916	Nigga.exe	46
PID 2916 wrote to memory of 1012	2916	Nigga.exe	46
PID 2916 wrote to memory of 1012	2916	Nigga.exe	46
PID 1012 wrote to memory of 1800	1012	cmd.exe	48
PID 1012 wrote to memory of 1800	1012	cmd.exe	48
PID 1012 wrote to memory of 1800	1012	cmd.exe	48
PID 1012 wrote to memory of 1800	1012	cmd.exe	48
PID 2916 wrote to memory of 2900	2916	Nigga.exe	49
PID 2916 wrote to memory of 2900	2916	Nigga.exe	49
PID 2916 wrote to memory of 2900	2916	Nigga.exe	49
PID 2916 wrote to memory of 2900	2916	Nigga.exe	49
PID 2900 wrote to memory of 1472	2900	cmd.exe	51
PID 2900 wrote to memory of 1472	2900	cmd.exe	51
PID 2900 wrote to memory of 1472	2900	cmd.exe	51
PID 2900 wrote to memory of 1472	2900	cmd.exe	51
PID 2916 wrote to memory of 1348	2916	Nigga.exe	52
PID 2916 wrote to memory of 1348	2916	Nigga.exe	52
PID 2916 wrote to memory of 1348	2916	Nigga.exe	52
PID 2916 wrote to memory of 1348	2916	Nigga.exe	52
PID 1348 wrote to memory of 928	1348	cmd.exe	54
PID 1348 wrote to memory of 928	1348	cmd.exe	54
PID 1348 wrote to memory of 928	1348	cmd.exe	54
PID 1348 wrote to memory of 928	1348	cmd.exe	54
PID 2916 wrote to memory of 2516	2916	Nigga.exe	55
PID 2916 wrote to memory of 2516	2916	Nigga.exe	55
PID 2916 wrote to memory of 2516	2916	Nigga.exe	55
PID 2916 wrote to memory of 2516	2916	Nigga.exe	55

C:\Users\Admin\AppData\Local\Temp\Nigga.exe
"C:\Users\Admin\AppData\Local\Temp\Nigga.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\143ca1e43d8e45348ad62ed7fcbb0cdb.exe
  "C:\Users\Admin\AppData\Local\Temp\143ca1e43d8e45348ad62ed7fcbb0cdb.exe"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Firefox.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Firefox.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Chromium.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Chromium.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Opera.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Opera.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OperaGX.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OperaGX.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im MsEdge.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MsEdge.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Safari.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Safari.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Brave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Brave.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Iridium.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Iridium.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Dissenter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dissenter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im PaleMoon.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im PaleMoon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Vivaldi.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Vivaldi.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im iExplore.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iExplore.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1260
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
10899d938b320a6420093e4f32893bc3

SHA1
1a66a90e9cf08aa6fac7086471dc35509dd6afe6

SHA256
be8ec56208eb8098338d1d600913b83a3faa4f51826ff3c0b73dfa13964d2981

SHA512
210e45a031f02b74fe35433a5d142004ccbdba7d8213b4443194ee1e393bf319d0d1bb716d1d77f90a8fcb11ed611b93fc07b7615adf7fefcbf6bbbcb88f3d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
134cf5c65136e1a43c9e3ccd1ab14b88

SHA1
4c02e620517173ba2cfa8739fe9d243700428c6b

SHA256
9c90783b45b7e759cfb4092a820059dde936eb5966affeab6fa219029331c53e

SHA512
5545878417cef1a4a87e792919d15b0a265b404778e046d499aeccc5dbffdf809f6949b19a8e101166e57eee1f700df85a4ab52ff436c680525bd5b3b9a038ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7ddd9f976881501b0e8a3712c3d5e3c

SHA1
3632c30c0f025f6973365bdff00dba4a20bc46e8

SHA256
27715f94e1edb9d96d5c1ea1b3fb9181ddb1b522450f3042a21acd4070b35a0f

SHA512
a021e68ffcd92fd041307c4ceb2f12e1ce7427ed9cda45bf18e02452d68d823a87375ac59573dbc7ac07e047697b9c7dac163cf30569a59dd0f7a495a603de09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
822c9dc556cc42f4cae85fd400b0e902

SHA1
30753e87f191a59361ff6a3ffd4433d72b965d21

SHA256
57df76a517c49a1cf6f4fc66e5f1ac7da82976b4ed9aa767c3046bb5efecb203

SHA512
9905ee6351d481c7848e5c3abe42dfe6b2fdfadf46721d9c5e30e24bf0b230e879e49485faf61a9ab58369b9afdd12e0eec141a2a417b0279cc847fd2def8cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af01aa7023825ec7f15914fead7c946b

SHA1
3d99f1cea156b55b64dfd46a1314b9240a40c045

SHA256
cc9f7a53bf7ec24031866cd7b29575d6e1d68d90a2ca5832b49e5e7197543b41

SHA512
4293e4e1482233f5dfe96a62f711385e74d246afdbb90598be5024c43a2e02b12af4260e4f44ca675a1a3aba2ee22624d63f72a382d54ccba78ac62493d46d52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f80258264ead283f2083fa37aae6b906

SHA1
0a74c2356eb04381a43a41941fb6458ca81bdbf6

SHA256
ba00a488ae7c8bf8c1a75187cf051ec6e72f415e5fe6ba3870d62cc3c94b07f8

SHA512
055e9f0dcdb96f986d01f740f3c1ac4be45f1493e1f863cf8a02fb6140037ef06eb0215798d914aaa409860942785dd9555b70442722329253817a854e6f10c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33548b329bc0e3eba47e8a92b1ac5ed7

SHA1
78beefdc9f818e435402026424dfcaf71c2bc48f

SHA256
188d19d5d18e7aa1d44a2a2fd81ccb82fdad92aea4273d0adcb9da4aeaf49ab1

SHA512
50e4fcdc88a03684d39982476b79b13209b15ec0d1a6ea0aa1c99ed4c310d62438493926435b2a69cf597e6fd79f915aa00993b13d30aa8e0ed3ac8a3f65c2cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37108f1ee937e23723d009d647b316f8

SHA1
d51980155b3f851924b2697ebe24a1a3558d5988

SHA256
80b346502878da3e55a42f583b9d5088f7ea85ba37a3f55f84aea9e1452f8bbd

SHA512
1e0724b0d820cf889a074fbd765e75debc5bb9a22346dd211a8ac3ef9450ad820b18d66a3137db2deefd9890f0389e27a47d412ebfdcf218be52fd2b8cd196c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf5fa7bc4957995d91d5ed156f8ed8de

SHA1
841a181cd05c2a3ea5c4e3079c33304298bba5fd

SHA256
2f513d2b538df8ab4f2aab0562367ae6bd88d0413f7b97fb3dd52be49ba0d5fd

SHA512
2b72b5bd9472a12546f26b922585033b96e70c973341ed8bd0218398081c90eacd62e2aede9de8f937fbe44af9877ba5924781820d3b336193dbffe9acf616ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97f40b0b2c78efc870cb407ff1d7be0d

SHA1
1613f3c093aa42f0566e7a90ac5e2104235ea4f4

SHA256
6f1cfc25dae9493d636969038a712136cfd9eab7fea85662af38f8dda395d6f5

SHA512
3e654f53c6a89e79b7e53bb340623bc5a97222a12c97e70c363ef89e0f66bef35f868d8fae40401d6ebdef7e2397968e4c6ad98798f16f5df828a40ba235915e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d0ddf0942be6caf9de5e0b0d392fb67

SHA1
a91f765556b8625178830734c5cecfeb3cc087af

SHA256
4ae3dd65f05d2b2f3e4e66dd1ff834aa8aa3786e85aa389666d1c641e52cce2e

SHA512
0797996d63ec8cb407fba0594484ab3462c6a785d6485530d0ef5d3bd2d8521c8bc8bacfb491743c2ddc0f123c3fe2c13e39645d75f7bd4de9c1da6c9ed497b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0dc915b2ebf0f160925fd70a8a722eb

SHA1
2332ebfd982c3c1ed0f26d625e9f468419b128c5

SHA256
08c5e8d9fcd6fd4022dee0720db8c2cf2800f64852a832fb655b35bd56c257b6

SHA512
a2225898131e9ccdb3d8a6a286e6cd8f12b57160f13a96ca56deb43459d3536afe39bdc35ecc7738104c10465a0a623fc17e9bb0ee895c1ad840f6c55ec68684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a3809fa0ed06c375c4b92e325c03f1a

SHA1
1a126e12f30d57d1a53432f4b25aed3fcf9951ce

SHA256
2bcf47223334ecab3f9aec5e817231f8dae5c5af9af4f66d9f30f07a505bfc93

SHA512
bfdb83235e78fab2d22c413f7c3407721e9726817414ef3d04999c7bad4faca25c7759f0ec3fe9d3a26646d28290780b70d743f2d7a0d0c973d12fdaf5c972bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf1faf6ea5bbdf0cf50b4ccc5fc16b1

SHA1
e86bd6e06f23d1d10e40ed297e7f279574f2c500

SHA256
dd0e8a25fd4bc26112da0789c381cdf0d5fe59b2b474214a15b097bd0fd3cbfe

SHA512
c7c10380aa13d86f779e86e807816e52206f38fed8c3e8f5c59221b55cb17a8fd98721e32e8e68f12bb711373eb4fe96857257662c886f55862dc77cd509c833

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37f9a3186bb801f8dfe09e9d5b992e4f

SHA1
6c9f37c39b834406f1635de12849d9fdd26553d9

SHA256
26039e844398e8fbf3db7df6b5df4b2c60b5bcc62c9dbf6de111e6547e9d6f98

SHA512
1c094ef02220c8b43333cdb4baeafc8102b93de262e1dd56ecd4057f1f38fa06eb74ce23ee56e440a5c0866263cbd65896cdc067a015b9184621a9b4b3f63616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9de915c312f4a4112b6aacbf709e1c74

SHA1
9111caac925656b7a985fe97026149a957aa2a44

SHA256
17228c0bbab86d1a56c0fd795be3b18162c07eb23817fc7cacca3f3f486dc742

SHA512
0e070f0cd37a618abe15e95b2837c5837d71412a48fe602e22e00c935df154f40e5a972c56c9c6fac326735568292d7e7478e3e24226ac7ae6d5d8951f0d8fea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10cae1f4c8cafbf024f626717a268045

SHA1
c3665369e5410a637f9823c660d67b27af637d3e

SHA256
072f83bb743ab4b1a81b84c87f56600f2908e8662afde4e68b8f3405c2321654

SHA512
dc321cb477d05bb73b5100a3c69e08f711d8e61b5f1c022286c7d82df6e192fcaf7a64d68cba5d1a763f0322d1ccbd0b59f9a0904b2dd7ba65950df4966f7090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
905c403c9dcdb360072257b3cdc8801c

SHA1
110f9032761465da71ae79ad4037420d9a80ccbe

SHA256
ab81529d80e236bb2799e23c32e12bd4c7f6ff8844fd19a6055b18cf9acd6bf8

SHA512
63bd74ef226f5e7b92a6b138a33bdc9c4afed9eeeec04b51433a9c4cb4c3f71c1628143d885dc453e12375b1ad3eb27310eb82ea7e5ab1938593826b8947373a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4251c03fe8364ba1558bc6eec36c42b5

SHA1
cd31602904ba4a1b19dd60d53c19b80e645badcd

SHA256
57992d972cbfcecf024dd0300dba2b858ba62307d3d60c8e78a65201c32df9d8

SHA512
0695a4af28be74c2122fff2936119d9adb3922fc71e99c1797fb15ba2c798594276dd308359bc20fc0ab667fdc603dd90c2ba87f05ec78bf560daeb9572dd86c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8ec1257b46ce7d8d7a19c1acfff2573

SHA1
40f0c3797780f812420d3aa04075f594054041a2

SHA256
0215fd768356e0227ff5468bde8f74f067de86fd5c1bb95809cf619b331f204a

SHA512
43e93b5b9b3aeee35c33e8ff924f8560cb4908f97d2f6a21b42efeeffc766144f0c3468e954895b59caa3657ff5d5fe9efe9df6b38fcc15cb625287c40235e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5d11dab3a80c9477e9515868ee4e3151

SHA1
027012b463314a50eca1e73457c03acf2c41d806

SHA256
6f0585e31a7f2d17b3030a2e9eed8106d1b91a5c5470761768eb6bafb167ebea

SHA512
1f02b2c6c235cba8b78c1ab8a971ea534e7cadcf56c78f32e362824cd6e9a8d33b01d12f8ff03c91c74cc0fd32d352e204f464f0642ab2dda605ac904bb39ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
5KB

MD5
d29b3a07575a193f2482e7dd840f995e

SHA1
a0fb6a724e7b2d99b4e3ab5d9849a503f35ef7c5

SHA256
419e688e1ae980c112626d96ea1d8fc75b0734d6408b04e4e4464db73d42b776

SHA512
7449fb98b2bc6d45c05a4f24e6e0220319857894be03bae99d942d932f27450a0d1e958ff17aa9472aacdbfa17e55035797eb5d028223b068de692e0f5f7396e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\143ca1e43d8e45348ad62ed7fcbb0cdb.exe

Filesize
844KB

MD5
8cac1595b184f66d7a122af38d5dfe71

SHA1
e0bc0162472edf77a05134e77b540663ac050ab6

SHA256
00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

SHA512
88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD682.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD695.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2628-21-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2628-20-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2628-19-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2628-18-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2628-17-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download
memory/2916-10-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

Filesize
4KB

Download
memory/2916-9-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-7-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-6-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-5-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-4-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-2-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download