njrat | 19ceb2fb547708b698c90222c404f1ae92f697a8f3471c34217eae990d384f21

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F67D72EA066963D2022F70E713DF05FB.exe
Size

340KB
MD5

f67d72ea066963d2022f70e713df05fb
SHA1

c872659bb161c05fe15b56b03ecda2f369779cf6
SHA256

19ceb2fb547708b698c90222c404f1ae92f697a8f3471c34217eae990d384f21
SHA512

fff2c9c05a221b6115b962c0b12465021cd7ef7f328bc66035a98c9a7cfac4c9eb293b648856d3a2f750361841c69d1664579e88f553901dbdc26a8e7ac2bcc9
SSDEEP

6144:shKBbUiI0zzx/vnG2pFgLbkOtJ6b/7FQ8BKmBLoBXZauy1CYWQhZ66z+n4VZbd8:shKCqOkOj6T5NXOauy1CTQhZ66z24VZZ

Score

10^/10

njrat hacked defense_evasion evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

lemon.geoiplookup.live:56071

Mutex

Registry Editor

Attributes

reg_key
Registry Editor
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
344	powershell.exe
3268	powershell.exe
4652	powershell.exe
2320	powershell.exe
1564	powershell.exe
1852	powershell.exe
5052	powershell.exe
1632	powershell.exe
2320	powershell.exe
1564	powershell.exe
1852	powershell.exe
5052	powershell.exe
1632	powershell.exe
344	powershell.exe
3268	powershell.exe
4652	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
1004	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

version.exeF67D72EA066963D2022F70E713DF05FB.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	version.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	F67D72EA066963D2022F70E713DF05FB.exe

Executes dropped EXE 2 IoCs

Processes:

version.exeregedit.exe

pid	Process
4388	version.exe
4856	regedit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry Editor = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\regedit.exe\" ."	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry Editor = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\regedit.exe\" ."	regedit.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	Process
4056	cmd.exe
4224	cmd.exe
1220	cmd.exe
1836	cmd.exe
4896	cmd.exe
3960	cmd.exe
2360	cmd.exe
4808	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4520	taskkill.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid	Process
4856	regedit.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

F67D72EA066963D2022F70E713DF05FB.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe
4652	powershell.exe
2320	powershell.exe
3268	powershell.exe
3268	powershell.exe
4652	powershell.exe
4652	powershell.exe
1564	powershell.exe
1564	powershell.exe
5052	powershell.exe
5052	powershell.exe
1852	powershell.exe
1852	powershell.exe
1632	powershell.exe
1632	powershell.exe
2320	powershell.exe
2320	powershell.exe
3268	powershell.exe
3268	powershell.exe
344	powershell.exe
344	powershell.exe
1632	powershell.exe
1852	powershell.exe
5052	powershell.exe
1564	powershell.exe
344	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

F67D72EA066963D2022F70E713DF05FB.exepowershell.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeregedit.exe

description	pid	Process
Token: SeDebugPrivilege	2128	F67D72EA066963D2022F70E713DF05FB.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe
Token: 33	4856	regedit.exe
Token: SeIncBasePriorityPrivilege	4856	regedit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

F67D72EA066963D2022F70E713DF05FB.exe

pid	Process
2128	F67D72EA066963D2022F70E713DF05FB.exe
2128	F67D72EA066963D2022F70E713DF05FB.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

F67D72EA066963D2022F70E713DF05FB.exeversion.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeregedit.exe

description	pid	Process	procid_target
PID 2128 wrote to memory of 2228	2128	F67D72EA066963D2022F70E713DF05FB.exe	83
PID 2128 wrote to memory of 2228	2128	F67D72EA066963D2022F70E713DF05FB.exe	83
PID 4388 wrote to memory of 4056	4388	version.exe	86
PID 4388 wrote to memory of 4056	4388	version.exe	86
PID 4388 wrote to memory of 4224	4388	version.exe	88
PID 4388 wrote to memory of 4224	4388	version.exe	88
PID 4388 wrote to memory of 1220	4388	version.exe	90
PID 4388 wrote to memory of 1220	4388	version.exe	90
PID 4388 wrote to memory of 4808	4388	version.exe	91
PID 4388 wrote to memory of 4808	4388	version.exe	91
PID 4388 wrote to memory of 1836	4388	version.exe	93
PID 4388 wrote to memory of 1836	4388	version.exe	93
PID 4388 wrote to memory of 2360	4388	version.exe	95
PID 4388 wrote to memory of 2360	4388	version.exe	95
PID 4388 wrote to memory of 3960	4388	version.exe	96
PID 4388 wrote to memory of 3960	4388	version.exe	96
PID 4388 wrote to memory of 4896	4388	version.exe	98
PID 4388 wrote to memory of 4896	4388	version.exe	98
PID 4056 wrote to memory of 4652	4056	cmd.exe	102
PID 4056 wrote to memory of 4652	4056	cmd.exe	102
PID 4224 wrote to memory of 3268	4224	cmd.exe	103
PID 4224 wrote to memory of 3268	4224	cmd.exe	103
PID 1220 wrote to memory of 2320	1220	cmd.exe	104
PID 1220 wrote to memory of 2320	1220	cmd.exe	104
PID 2360 wrote to memory of 1564	2360	cmd.exe	107
PID 2360 wrote to memory of 1564	2360	cmd.exe	107
PID 1836 wrote to memory of 1852	1836	cmd.exe	108
PID 1836 wrote to memory of 1852	1836	cmd.exe	108
PID 3960 wrote to memory of 5052	3960	cmd.exe	109
PID 3960 wrote to memory of 5052	3960	cmd.exe	109
PID 4896 wrote to memory of 1632	4896	cmd.exe	110
PID 4896 wrote to memory of 1632	4896	cmd.exe	110
PID 4808 wrote to memory of 344	4808	cmd.exe	111
PID 4808 wrote to memory of 344	4808	cmd.exe	111
PID 2128 wrote to memory of 4856	2128	F67D72EA066963D2022F70E713DF05FB.exe	113
PID 2128 wrote to memory of 4856	2128	F67D72EA066963D2022F70E713DF05FB.exe	113
PID 4856 wrote to memory of 1004	4856	regedit.exe	121
PID 4856 wrote to memory of 1004	4856	regedit.exe	121

C:\Users\Admin\AppData\Local\Temp\F67D72EA066963D2022F70E713DF05FB.exe
"C:\Users\Admin\AppData\Local\Temp\F67D72EA066963D2022F70E713DF05FB.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- \??\c:\windows\system32\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\4rzz4ifu.inf
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\regedit.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\regedit.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SYSTEM32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\regedit.exe" "regedit.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1004

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1632

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d3e692097443460531ee4627a2efe93

SHA1
9a5c7e842714346bbb3c047e54ea89d8c4f07f0e

SHA256
ed5ccf4e59a810d67f6782f886ef7b095b49187521e8841d4c53639fe5bc9660

SHA512
6948ba7ff72441d5e7f156b279ac8c38188806d1641ad1b699aa4a796b2f87df3eb1ed7757c6d8a7938ef71e7104f096d76c14e3f8de593489708d634b93e7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9006afb2f47b3bb7d3669c647651e29c

SHA1
cdc0d7654be8e516df2c36accd9b52eac1f00ffd

SHA256
a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302

SHA512
f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
764B

MD5
3d549b6672e2b519132a21f3b8cff54b

SHA1
c2249b31fe45de8b90a7ade9ca184a46ea758a16

SHA256
3784144bf422f5209a9e840045421e25c4b5ecf3dcc2f1e54c8a8d42ed08d35f

SHA512
cada246e4f8979f98acde14daad9bf49bf4144fc202341215a20c3f9ea49f7fa6d3151cf6370378fdaa7415364aefc75e415593716d62d6c9d4c3f5bb5c3f04e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c6b88ac1eec927b9f2dcf1277e32d7e

SHA1
e5862c2e5e899b806916702349d128eec019032a

SHA256
0759f7b2207c1b43e857c015e84bf637705937aa93409bf83fd84590dd0fefb5

SHA512
3624679a0c5ffbf0d99f57f58ade1e51817e9d4400ded356d1e78b0ce436504be38e9375ae494230db4a2dbeb2dcb9fe0f5da25a26987818c7c30639da3bc1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzz4ifu.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kt2rfxjv.jn2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\regedit.exe

Filesize
340KB

MD5
f67d72ea066963d2022f70e713df05fb

SHA1
c872659bb161c05fe15b56b03ecda2f369779cf6

SHA256
19ceb2fb547708b698c90222c404f1ae92f697a8f3471c34217eae990d384f21

SHA512
fff2c9c05a221b6115b962c0b12465021cd7ef7f328bc66035a98c9a7cfac4c9eb293b648856d3a2f750361841c69d1664579e88f553901dbdc26a8e7ac2bcc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
memory/2128-10-0x00000000010D0000-0x00000000010D8000-memory.dmp

Filesize
32KB

Download
memory/2128-110-0x00007FF995F15000-0x00007FF995F16000-memory.dmp

Filesize
4KB

Download
memory/2128-126-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/2128-1-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/2128-111-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/2128-2-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/2128-12-0x00000000010F0000-0x00000000010FC000-memory.dmp

Filesize
48KB

Download
memory/2128-11-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/2128-0-0x00007FF995F15000-0x00007FF995F16000-memory.dmp

Filesize
4KB

Download
memory/2128-9-0x000000001B7E0000-0x000000001B87C000-memory.dmp

Filesize
624KB

Download
memory/2128-6-0x000000001C2E0000-0x000000001C7AE000-memory.dmp

Filesize
4.8MB

Download
memory/2128-3-0x000000001BCA0000-0x000000001BD46000-memory.dmp

Filesize
664KB

Download
memory/4388-15-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/4388-16-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/4388-19-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/4388-17-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Filesize
9.6MB

Download
memory/4652-25-0x000002BF9CC40000-0x000002BF9CC62000-memory.dmp

Filesize
136KB

Download
memory/4856-127-0x000000001C960000-0x000000001C9C2000-memory.dmp

Filesize
392KB

Download