njrat | fcbef3a6102e83dad9c7b699cbc37156cd6e0646680628a069cc167052c927b5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverBullet.exe
Size

2.7MB
MD5

63c99c74fa1f1a9174d8f3013c5a870e
SHA1

4195ef425ca71b31470f3764bce11f8e17f1b992
SHA256

fcbef3a6102e83dad9c7b699cbc37156cd6e0646680628a069cc167052c927b5
SHA512

5c74ab8e25a6e60b529cb2ad73db107f5366a198b3721d2054603af458e8aec4d64c0389c1e01d6238ec46a033ac26916e3f3fd85f6806d6e7144231118a4676
SSDEEP

24576:nzJhZPEDTvlUx71jUhK/DEgOKSvh1TfFIH9gYRRcY+32oQRLwDQF4eaE2cZPeAgq:nsTt0jUiwg30h/7DQB/FOLDQB2zOQB

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

9cpanel.hackcrack.io:3489

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2160	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SilverBullet.exe

Executes dropped EXE 7 IoCs

pid	Process
1616	Setup.exe
3532	Setup.exe
2124	svchost.exe
636	SilverBullet .exe
2236	svchost.exe
3044	explorer.exe
2272	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	636	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SilverBullet .exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3612	taskmgr.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe
3044	explorer.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	svchost.exe
Token: SeDebugPrivilege	2236	svchost.exe
Token: SeDebugPrivilege	3612	taskmgr.exe
Token: SeSystemProfilePrivilege	3612	taskmgr.exe
Token: SeCreateGlobalPrivilege	3612	taskmgr.exe
Token: SeDebugPrivilege	3044	explorer.exe
Token: SeDebugPrivilege	2272	explorer.exe
Token: SeBackupPrivilege	2460	svchost.exe
Token: SeRestorePrivilege	2460	svchost.exe
Token: SeSecurityPrivilege	2460	svchost.exe
Token: SeTakeOwnershipPrivilege	2460	svchost.exe
Token: 35	2460	svchost.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	3612	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3612	taskmgr.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe
Token: 33	2272	explorer.exe
Token: SeIncBasePriorityPrivilege	2272	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe
3612	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	explorer.exe
3044	explorer.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 1616	380	SilverBullet.exe	81
PID 380 wrote to memory of 1616	380	SilverBullet.exe	81
PID 380 wrote to memory of 3532	380	SilverBullet.exe	82
PID 380 wrote to memory of 3532	380	SilverBullet.exe	82
PID 1616 wrote to memory of 2124	1616	Setup.exe	83
PID 1616 wrote to memory of 2124	1616	Setup.exe	83
PID 380 wrote to memory of 636	380	SilverBullet.exe	84
PID 380 wrote to memory of 636	380	SilverBullet.exe	84
PID 380 wrote to memory of 636	380	SilverBullet.exe	84
PID 3532 wrote to memory of 2236	3532	Setup.exe	85
PID 3532 wrote to memory of 2236	3532	Setup.exe	85
PID 2124 wrote to memory of 3044	2124	svchost.exe	103
PID 2124 wrote to memory of 3044	2124	svchost.exe	103
PID 3044 wrote to memory of 4936	3044	explorer.exe	104
PID 3044 wrote to memory of 4936	3044	explorer.exe	104
PID 3044 wrote to memory of 2272	3044	explorer.exe	107
PID 3044 wrote to memory of 2272	3044	explorer.exe	107
PID 2272 wrote to memory of 2160	2272	explorer.exe	109
PID 2272 wrote to memory of 2160	2272	explorer.exe	109

C:\Users\Admin\AppData\Local\Temp\SilverBullet.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBullet.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3044
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\bzaqwwre.inf
        5⤵
        
        PID:4936
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2160
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Users\Admin\AppData\Local\Temp\SilverBullet .exe
  "C:\Users\Admin\AppData\Local\Temp\SilverBullet .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1064
    3⤵
    - Program crash
    PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 636 -ip 636
1⤵
PID:2008

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
79d206410500f74a6f755f82d514c459

SHA1
67782eff101d316ad1eb79ee76dc4095f5994db3

SHA256
697be2be7b14b3ef2953b93cc2d380b350c19e2ef41399ab289fe1c8e2281f36

SHA512
72848557148090200726fbfa30c008e54067d79e804ef604c78ee4fdc0c77d3da6c60abedb5c05e4943eb768d737873db585619b2559a1b6d1e6b917d216d822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup.exe.log

Filesize
1KB

MD5
7ca69c3a50dd1e107b36424371d545aa

SHA1
af96b7133f339588b8de9e29be762dd8fbe2da08

SHA256
fb56bfa6682034270cd833c70e9ab03a606372aef15b2e305da0318873394664

SHA512
bf3b5a590335e671cd44f244bf20fc30028a56c55f69f4f8b0a46aba787b248c343391998ed5267b5ca9aa0075697e169056120c18837ddc3ca97c5ace83c6fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
fde7cc81ed0c50e7ce18702102f19ace

SHA1
e9f02b348fda9b22bb3999b4ebef4d366f153086

SHA256
00ac4add3fbf73f31bdeb249969dddc68da554c9e9383ec524d63c64dc3f4b53

SHA512
75bf55c4f619948f16e29f51008d026e7789eda82615f566b150d54f5769b64d7fe1a6ff8be458e2630be621c551183dfe272ce0a579024065cbc2b4b26f4bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
461KB

MD5
ee76425b767c9ab812a53c133b8363f8

SHA1
1daa4700a5f1849eb7e810986ac24bd58786da61

SHA256
f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747

SHA512
004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SilverBullet .exe

Filesize
2.2MB

MD5
0267076b75cdcfa7ea98aba0bf033aee

SHA1
e168f887d26f0f752ef9e28ffc154b9afc1f1783

SHA256
9f160d80765337c3609242b9d0bd4d16856e1d57a7c2ff55ce8b00b45e5bea81

SHA512
18899a1b90a85ef2adbc71224d51ae51ea7e87662f71ff498734cf8a267aafd1c265bdb5a78b78437168f825ff28d894420ffdeb6af1653d150740b93d487122

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzaqwwre.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
357KB

MD5
cff755ff758e9e71d0af34017a8e9d8e

SHA1
8d401767360e61261cee79a18e061d9a0dc95724

SHA256
c4b3fdf0d7a1dc296560d0ca1f09ce89f3acbcab445fe5fcf5fe908ed3844be2

SHA512
a752a4ed0229cb7ee5a8b0768254f1acb89b1da876a7594952c75cffdb7b7990a45a335332144ae0ff06e0e0dd5e033a89fa29ed2355e2084bcc249e41a73052

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
325KB

MD5
f36e535fdc82208fca08acfa44f790c6

SHA1
a3cc1aa7d614094faebada2aed1e6c519bd18c94

SHA256
51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc

SHA512
631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

Download Submit
memory/380-1-0x0000000000C20000-0x0000000000EDE000-memory.dmp

Filesize
2.7MB

Download
memory/380-0-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

Filesize
8KB

Download
memory/636-53-0x00000000005B0000-0x00000000007EE000-memory.dmp

Filesize
2.2MB

Download
memory/1616-52-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/1616-18-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/1616-16-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/1616-15-0x0000000002780000-0x00000000027AA000-memory.dmp

Filesize
168KB

Download
memory/1616-14-0x0000000000620000-0x0000000000698000-memory.dmp

Filesize
480KB

Download
memory/2124-46-0x0000000000F40000-0x0000000000F96000-memory.dmp

Filesize
344KB

Download
memory/2124-49-0x000000001BB10000-0x000000001BB18000-memory.dmp

Filesize
32KB

Download
memory/3044-89-0x000000001BC20000-0x000000001BCC6000-memory.dmp

Filesize
664KB

Download
memory/3044-97-0x0000000001220000-0x000000000122C000-memory.dmp

Filesize
48KB

Download
memory/3044-96-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/3044-95-0x000000001BFF0000-0x000000001C08C000-memory.dmp

Filesize
624KB

Download
memory/3044-92-0x000000001C610000-0x000000001CADE000-memory.dmp

Filesize
4.8MB

Download
memory/3612-70-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-62-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-63-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-68-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-69-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-64-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-74-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-71-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-72-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download
memory/3612-73-0x00000165E8080000-0x00000165E8081000-memory.dmp

Filesize
4KB

Download