Analysis
-
max time kernel
594s -
max time network
598s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-12-2024 14:47
Behavioral task
behavioral1
Sample
NjRat.0.7D-main(1).zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
NjRat.0.7D-main(1).zip
Resource
win11-20241007-en
Errors
General
-
Target
NjRat.0.7D-main(1).zip
-
Size
48.8MB
-
MD5
80d3d5163cafe75e0f2d1666a4c65414
-
SHA1
b94d1e8abcf337c888f403e4e7563c896fa7d51c
-
SHA256
d96bb6e66aef5a2901a0bfb80df3382d79cdcf60c9916badf27b456244bc6929
-
SHA512
d606abeacdb158dfdfabd89d7e3c12800704faa499821d01494899d5c36d93d2cc540d8747633535e148abffba4ac8c1fb3016fc03535c3d75cf74edd34daae3
-
SSDEEP
1572864:u5rfgndUOnIfRGjDT159RHXDZ8411rbYfkI:u5rf0mOnGRaThBZ84frUsI
Malware Config
Extracted
njrat
0.7d
monke
hakim32.ddns.net:2000
127.0.0.1:5552
03ee21e2b9447b703490c88d66ec84f2
-
reg_key
03ee21e2b9447b703490c88d66ec84f2
-
splitter
|'|'|
Signatures
-
Njrat family
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 972 netsh.exe 2024 netsh.exe 4296 netsh.exe -
Executes dropped EXE 3 IoCs
pid Process 5080 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 916 Server.exe -
Loads dropped DLL 8 IoCs
pid Process 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat 0.7D Danger Edition.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ilasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat 0.7D Danger Edition.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 5488 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Modifies registry class 54 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 80003100000000004257987210004e4a524154307e312e3744440000640009000400efbe8959697789596a772e000000514f0200000003000000000000000000000000000000000000004e006a00520061007400200030002e00370044002000440061006e006700650072002000450064006900740069006f006e0000001c000000 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 NjRat 0.7D Danger Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg NjRat 0.7D Danger Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell NjRat 0.7D Danger Edition.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell NjRat 0.7D Danger Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NjRat 0.7D Danger Edition.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 NjRat 0.7D Danger Edition.exe Set value (data) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff NjRat 0.7D Danger Edition.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 NjRat 0.7D Danger Edition.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" NjRat 0.7D Danger Edition.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3120 msedge.exe 3120 msedge.exe 1800 msedge.exe 1800 msedge.exe 2892 msedge.exe 2892 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3672 7zFM.exe 916 Server.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2892 msedge.exe 2892 msedge.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeRestorePrivilege 3672 7zFM.exe Token: 35 3672 7zFM.exe Token: SeSecurityPrivilege 3672 7zFM.exe Token: 33 1144 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1144 AUDIODG.EXE Token: SeDebugPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: SeDebugPrivilege 5488 taskkill.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: 33 916 Server.exe Token: SeIncBasePriorityPrivilege 916 Server.exe Token: SeShutdownPrivilege 2908 shutdown.exe Token: SeRemoteShutdownPrivilege 2908 shutdown.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3672 7zFM.exe 3672 7zFM.exe 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2892 msedge.exe 2988 NjRat 0.7D Danger Edition.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 5080 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe 2988 NjRat 0.7D Danger Edition.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5080 NjRat 0.7D Danger Edition.exe 1932 PickerHost.exe 5744 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 5836 5080 NjRat 0.7D Danger Edition.exe 84 PID 5080 wrote to memory of 5836 5080 NjRat 0.7D Danger Edition.exe 84 PID 5080 wrote to memory of 5836 5080 NjRat 0.7D Danger Edition.exe 84 PID 916 wrote to memory of 4296 916 Server.exe 89 PID 916 wrote to memory of 4296 916 Server.exe 89 PID 916 wrote to memory of 4296 916 Server.exe 89 PID 916 wrote to memory of 972 916 Server.exe 91 PID 916 wrote to memory of 972 916 Server.exe 91 PID 916 wrote to memory of 972 916 Server.exe 91 PID 916 wrote to memory of 2024 916 Server.exe 92 PID 916 wrote to memory of 2024 916 Server.exe 92 PID 916 wrote to memory of 2024 916 Server.exe 92 PID 916 wrote to memory of 4740 916 Server.exe 96 PID 916 wrote to memory of 4740 916 Server.exe 96 PID 916 wrote to memory of 4740 916 Server.exe 96 PID 4740 wrote to memory of 5488 4740 cmd.exe 98 PID 4740 wrote to memory of 5488 4740 cmd.exe 98 PID 4740 wrote to memory of 5488 4740 cmd.exe 98 PID 916 wrote to memory of 5008 916 Server.exe 100 PID 916 wrote to memory of 5008 916 Server.exe 100 PID 916 wrote to memory of 5008 916 Server.exe 100 PID 916 wrote to memory of 5212 916 Server.exe 102 PID 916 wrote to memory of 5212 916 Server.exe 102 PID 916 wrote to memory of 5212 916 Server.exe 102 PID 916 wrote to memory of 5252 916 Server.exe 104 PID 916 wrote to memory of 5252 916 Server.exe 104 PID 916 wrote to memory of 5252 916 Server.exe 104 PID 916 wrote to memory of 2816 916 Server.exe 106 PID 916 wrote to memory of 2816 916 Server.exe 106 PID 916 wrote to memory of 2816 916 Server.exe 106 PID 916 wrote to memory of 3748 916 Server.exe 108 PID 916 wrote to memory of 3748 916 Server.exe 108 PID 916 wrote to memory of 3748 916 Server.exe 108 PID 5008 wrote to memory of 2908 5008 cmd.exe 110 PID 5008 wrote to memory of 2908 5008 cmd.exe 110 PID 5008 wrote to memory of 2908 5008 cmd.exe 110 PID 5252 wrote to memory of 3484 5252 cmd.exe 113 PID 5252 wrote to memory of 3484 5252 cmd.exe 113 PID 5252 wrote to memory of 3484 5252 cmd.exe 113 PID 2816 wrote to memory of 2892 2816 cmd.exe 114 PID 2816 wrote to memory of 2892 2816 cmd.exe 114 PID 2892 wrote to memory of 5548 2892 msedge.exe 115 PID 2892 wrote to memory of 5548 2892 msedge.exe 115 PID 2816 wrote to memory of 4484 2816 cmd.exe 116 PID 2816 wrote to memory of 4484 2816 cmd.exe 116 PID 4484 wrote to memory of 4768 4484 msedge.exe 117 PID 4484 wrote to memory of 4768 4484 msedge.exe 117 PID 2816 wrote to memory of 3712 2816 cmd.exe 118 PID 2816 wrote to memory of 3712 2816 cmd.exe 118 PID 3712 wrote to memory of 2568 3712 msedge.exe 119 PID 3712 wrote to memory of 2568 3712 msedge.exe 119 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120 PID 2892 wrote to memory of 872 2892 msedge.exe 120
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main(1).zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3672
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1304
-
C:\Users\Admin\Desktop\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"C:\Users\Admin\Desktop\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\Server.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5836
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
C:\Users\Admin\Desktop\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"C:\Users\Admin\Desktop\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2988
-
C:\Users\Admin\Desktop\Server.exe"C:\Users\Admin\Desktop\Server.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Desktop\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4296
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\Desktop\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:972
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Desktop\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp520C.tmp.BAT" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM EXPLORER.EXE3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp96C7.tmp.BAT" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp96F7.tmp.BAT" "2⤵
- System Location Discovery: System Language Discovery
PID:5212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9707.tmp.BAT" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5252 -
C:\Windows\SysWOW64\rundll32.exerundll32 USER32.DLL,SwapMouseButton3⤵
- System Location Discovery: System Language Discovery
PID:3484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9727.tmp.BAT" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sambaporno.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7fff63633cb8,0x7fff63633cc8,0x7fff63633cd84⤵PID:5548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,3630202277441077803,5092795210630844290,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:24⤵PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,3630202277441077803,5092795210630844290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,3630202277441077803,5092795210630844290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:84⤵PID:3168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,3630202277441077803,5092795210630844290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:14⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,3630202277441077803,5092795210630844290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:14⤵PID:4228
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sambaporno.com/3⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff63633cb8,0x7fff63633cc8,0x7fff63633cd84⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,12751019403569573288,5983469962502579869,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:24⤵PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,12751019403569573288,5983469962502579869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sambaporno.com/3⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff63633cb8,0x7fff63633cc8,0x7fff63633cd84⤵PID:2568
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sambaporno.com/3⤵PID:5296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff63633cb8,0x7fff63633cc8,0x7fff63633cd84⤵PID:4828
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9757.tmp.BAT" "2⤵
- System Location Discovery: System Language Discovery
PID:3748
-
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1932
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a22055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5744
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5648
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
774B
MD5fd61b64fd2d3ee1cff51b55ab65bdd7d
SHA19c0cc4248004e7da57ac99f12daa6f461d41d6c1
SHA2568d7b77655763d9dd3be5b08e74fcaf2a8266ca400ead7d84c90ef145e76bd9aa
SHA512e7e472ed8cc5488d4aa4114f26cef3d6360719b096b420022647ee9b0ff836d0deefe0ab2c44950dca4cd553469e28a2cb7b5907b5253b6b993b0317600a566a
-
Filesize
152B
MD5c03d23a8155753f5a936bd7195e475bc
SHA1cdf47f410a3ec000e84be83a3216b54331679d63
SHA2566f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca
SHA5126ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41
-
Filesize
152B
MD53d68c7edc2a288ee58e6629398bb9f7c
SHA16c1909dea9321c55cae38b8f16bd9d67822e2e51
SHA256dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b
SHA5120eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f
-
Filesize
5KB
MD5a004d0f09c2449ca435d93ffdb7750aa
SHA1676d904fe5851e61b4546744ead81b34a563fd6c
SHA256d853ff25508823446c47bc2945a7823391e28d7f3eee7597a9af39facc1b1008
SHA512852a411f657c7acb2b8ba02e81c76ae4fc19eda74b874b0e3f264c088050019e23122500616fe57e6b336fff510aef36eb784c901902ecde1285dac441a162f7
-
Filesize
8KB
MD555abdc106e45314fdc67535467a4571b
SHA1c1e38fb0d3de63a6f1174c722307cd5188a7c4db
SHA2562b3c6a5e23893c49cf079890d93a66b7e13dfac2324d66e39c1eaf1fa412569f
SHA5127fcdeb7cf653162b7408f3bee7581d9b1e7b23a0a52763a290ec9ba9f694764080896011565b9c76d0df107762fed43dda4dd016d8bdbbb19258bc182255cd0f
-
Filesize
1.2MB
MD52cf799ad1b81883cbbb00ffe19adbb6a
SHA18a7f08602f7ca5f5c856340cc69a69db08b9c02e
SHA2561ff6414ec89bb0f8f0b97587422a80dc255d5cf2cf958f426f5a3320d6977b3b
SHA512f020af75cd13bbf72396a3f47dabcc96addd9288692dcd6c5bf571d5234c4f560a4bcdc9f7f79aebc2e988d71d26561a926a449941c92beda8f22c4d5a092a19
-
Filesize
83B
MD5cc795c9c4a83aa1ede067f96f1eb8d15
SHA132b8e1c43787353f7d87514e279288aff5f7d4f6
SHA25637d23694738615464be8a3234bcc59592987432c8863db67e30385b8bb3ef450
SHA512ec0b8f6600b2b0443ea6f271fcf16804e380b6f51f3f74997dc5c53ed28ece8ece58a12686b451532ed31941a67fa075305314fba7fa8555a7fb8cf6424c6fc5
-
Filesize
37B
MD51cbc3a2f81d4259e3bf61249711fec81
SHA17ba62560df466c6dcd794854a25aeb5b088968d8
SHA2566a207f770478d59da0d2aa43a9719ef05b3f85c8c700400746ca3ab0463d08f0
SHA51274ba85a391d769686c95001af6e29f9fe2ccaa4d119247fac31e65c8becda7be1ea9fa3eb9f2a06c1d48ac4b580ad8e63c14e06d94e8dd07b26129df7f1f4bc0
-
Filesize
67B
MD51cc401169ef8cf1e8977f4e92dfe72c7
SHA1d04c32295d4e563978fa0abb1b32ba52699cb08d
SHA25632c699ebb7394ddb2d56f092ef10fde4d9f4bcf808dbe11bad777e7bc73f7aae
SHA512076eb06d9fbf8bf1d6a4c5043d803ee7b5cf0307253de6358f8ea70e0bf240f5ae2208fbe9a44778e782e29c54751936f393ade6e292064d2134ed223506866b
-
Filesize
60B
MD594070806e01c1ae7fe2aae46d929387a
SHA10fcd747b0fd81b01ea54fbd849388b6e49ff1698
SHA2564f553023c9fdfea5f806c86d6bdd40d94348843d4a4efd91dc952a53229a4358
SHA5121334b73fadeb074ea1f31f379bb76f4274af5ddfc48a5c28139e766202c373a8b25e0ba2105537673bdf5de9df625dcbd870ef0b8a4506f9674c88bcd2595e08
-
Filesize
183B
MD5ab45b6913751e20d60d6c9a44a229a66
SHA1fbf98231ced1c5667bb8b83114ca2f83b044698f
SHA25671385e3fb017bb452466ab1ad8764950c14a7af856d0ee8c147cf8f7f073b2ec
SHA512b462bd82a58ff51d3351ae5168028439fe3dbfbaeb2465c8b300419fb5d9115eb2091aa6fe4e11cf30ba9ee37e3ef175211e5053d6fc7a3398deace787180f4e
-
Filesize
76B
MD518dc60bfb068d99a80fd22499ec5f252
SHA14939c87a7ff6456971aa4baf517646d3df2a7710
SHA2563be1adc56cfae9722bfa25df2ed2b112349b7aa4d8088cbf694e560dd9e53817
SHA512890ba3a69f516df93154b7534f2530a5004f9d6ccc01e4f59a434e4c2c49912cc2630d34afcb24a60208173a089b8934ace4acad4cc587d21988a150d9ad32e3
-
Filesize
1.2MB
MD5797b96cc417d0cde72e5c25d0898e95e
SHA18c63d0cc8a3a09c1fe50c856b8e5170a63d62f13
SHA2568a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426
SHA5129bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882
-
Filesize
8.2MB
MD5eda04645089d60f5cb602c8012a33e07
SHA185ae9d1a404d0a2063bee3d8d7bb9bef233fa71a
SHA256e6cff62a0e8e7c654eec97093a1295773f223cd3a6a11f65c91491cfbd6be751
SHA512fe9a1bddd90aabb6f5abb1d15666e75ab3c6136d1dbf2c79f0bbcd1dffe2089ac8a73ffe11b3d1cbbd6b393fc51f921fd5c50bf490a38e9038d2c366aaa9468d
-
Filesize
15B
MD5332f4072f2109e4d81f2701c2387b186
SHA136bbaf7dfa5a6d6d52ab04f533359f3c65cfa8e4
SHA25617f547710bf4fefb27ff4470e0f78089c4888567eec25380e136d9fde1e02276
SHA51253841fa1fb9f0fc1c6633e863f1195d27c8dfed1c0caa7ae519d224893eab3fb23487b130539b5c1839eb8aa99d51b3450b6d15cc63275c0a32841897c84d67a
-
Filesize
1.2MB
MD5abe394d9d5139ff9c586aa7dddc97e68
SHA16b3ab81b04af61685cd480a41bc953cd6a963f90
SHA25678a156fe7e6900ece45fdd25516c0f9ffeb2083ef3d62685f189fb5ef5a9a0a5
SHA51230a7d44e319ef500802edc4c74c9bf39bf43ada220427c230973aeecd71f18f02466c824332cc265b96622b6588bda472f3949b1ca3d81bdaa4d6e617bf2a114
-
Filesize
487B
MD54d18ac38a92d15a64e2b80447b025b7e
SHA15c34374c2dd5afa92e0489f1d6f86dde616aca6c
SHA256835a00d6e7c43db49ae7b3fa12559f23c2920b7530f4d3f960fd285b42b1efb5
SHA51272be79acd72366b495e0f625a50c9bdf01047bcf5f9ee1e3bdba10dab7bd721b0126f429a91d8c80c2434e8bc751defdf4c05bdc09d26a871df1bb2e22e923bf
-
Filesize
43KB
MD5d4b80052c7b4093e10ce1f40ce74f707
SHA12494a38f1c0d3a0aa9b31cf0650337cacc655697
SHA25659e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
SHA5123813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450
-
Filesize
367KB
MD5c3e8ff959a4027bc8cd67e26d3003370
SHA15469f8a06813027ab3f8bcfaf4d5c87810ab347a
SHA256afda8e5fb125e27aa1062365ab4b77c4fa3acd14a6e435ab7ddde18644266af3
SHA512d0f461200daa100f6d05320c538d793e662f9ddfb13fa70351bb1bdf21cf7a1c256d284c3378551d288d7275cfa9cb32e84cdb13e7bc49ca4b5483d8ef999f15
-
Filesize
1.1MB
MD5e3bf65ce42edca6891fb7123711ace2c
SHA1455a838ce4c51976faa9312ae212d7fc82ff7e19
SHA2564d04ead199b9f3433314ac5a4c5466d0ce5e4c43e2fdd381ae0d6a1e705e6f1e
SHA5121bce779f1afc8a10c9dffe245ebfb9c46c69cf805cc24dfbb5edfe6e3577b0b34e7ee59763a31e05579f22a584628c10c87fcfb6e9f180d16a0648b6fe05f490
-
Filesize
271KB
MD507194ab187366cab46972f2f2f1ef0b5
SHA114927d4482a318004a42a5cf8cc40ad08673a302
SHA2567ab30a602581387fa97faf7f8100d2c98bd3407372f723f805f2346addb7d008
SHA512989720c17fca490d1fb3a6166f713b07410b0525c7ee142d192de4f5a044f904633b3eb8c3e83f8448bc7ee3da5cb448711067025cdf037d20cf1e9d18131446
-
Filesize
223KB
MD5fc2c601bba0029124a120db3035b5652
SHA1a56b3b16e0814ed4da024ab2eee968c17c004698
SHA256666f19c5d6528c4e071b4414aa410eae3497c809107739db87e39374ceb8593c
SHA5120c49ad30c8bbf125fa3a47ac63d862063b8feadd87968356237a7df08b8cf4ed4b66e1a8852303b32f6d8ff168a24743fc7adeb94de4aa6f72aed3f2c279b95c
-
Filesize
202KB
MD5621ff03775382229afbc039efba07212
SHA13bcf1669b70df52059d2fb5c9025ad3fd30170ad
SHA256d22944f50fdbe7b9fc55807ebca0275e59a0ede94226e2ce365bc507bc96ec68
SHA5123168bb66d0e2a72df58c46275916fc9cd1d92512b4221fc0259859904d174f9a4b4cec3ff43ec91e4a084ebe4cbfd7349cfba230b1e56403bf36a711d2d8b90b
-
Filesize
292KB
MD554b06dbc99832ca8a54232351af21059
SHA142367bca4add1792f841f9c20bf8d6a6410c0ae1
SHA2564b6914d1ca3c871a2e79d54bb19a7a66e207548214b215698ac3371595cecb5a
SHA512e49dbe7b2a58dc5be68cc79aca83a090486786454d03461ae256f5a0b098d8e00f18032bf1eddd7ed7e863580b8c463771704df404009d3ba1b375b4ec9bd87a
-
Filesize
628KB
MD5633b07e6516aea1d677b8d64bfcb04e7
SHA18f55062fbec6bea8f8cb689e5228cb0f4b759b59
SHA2560d01cc53ba6630b8bae7674cfd4deebe6cb0c9e5d2029e3f29c0bc25b2760207
SHA512456207a76294bfc5f8f88b3c893b1d931604f935a67770349d6ef831674a65de73ed6d01b2c51c0a3499c30543e5011490b0ebfb34598d00504f1574adae3df4
-
Filesize
31KB
MD5ba2d32d8118f59ae4aab0bae941542ed
SHA1b627f2ffb0c8d82e8b9413228a8b75e70d716f2e
SHA256814ac620ea996b45e8c0fc55ae57e10c11add1cf4fbe9d260a5f13052051b420
SHA5121181d91e843f1a51248e4080fe91539d77c749125017fb3a1382da3c7b15317337510a0e18827a7ef6ad091c66ff70801f68597895e81c08e6daf96ca0ade839
-
Filesize
259KB
MD58ca640310df5533abc19acd7dabc829e
SHA138d126c7d252c5aa5963be1022060869bb3daea9
SHA25606b3345a22309557ec7168efe1d4bb48a6180a9643faa472c9c90b004ce0a1ac
SHA512a7d699d09e0e78815e842eae633b44c03ad0c974985cf2faa4f8f64ab8ceec164f75390f120170847c59a4f09d9bcb3ab0c3f0377afa5cdf834b4612528a15df
-
Filesize
469KB
MD51a018036c48b4cd8e0c7d1a7ebea06a9
SHA18ec946a133f07bf62754caddf3a884020f430f8d
SHA25645aa36d007d27ca8e9659cd004a98f048b232161202553da643c4d1df3427459
SHA512a8a8cbb9a1bfbdbe610bcde92d49674ee155d11fb6992dcd74551926fb3c1d8c2eebc773655638f785079961129cc9112718f2d4764812bbca9f085d3d7bd79a
-
Filesize
100KB
MD56032ce8ceea46af873b78c1f323547da
SHA18c5bd4a70e0f21aeba41c07976ace2919b64fd80
SHA25619dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7
SHA5123ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe
-
Filesize
63KB
MD5a73edb60b80a2dfa86735d821bea7b19
SHA1f39a54d7bc25425578a2b800033e4508714a73ed
SHA2567a4977b024d048b71bcc8f1cc65fb06e4353821323f852dc6740b79b9ab75c98
SHA512283e9206d0b56c1f8b0741375ccd0a184410cf89f5f42dfe91e7438c5fd0ac7fa4afbb84b8b7ea448b3093397552fd3731b9be74c67b846d946da486dcf0df68
-
Filesize
75KB
MD58e39d0bb786fb308842102fb90211910
SHA1fcc8a86135ac63aaf51e6d80472813b5385feb4b
SHA25657a02c05691f47b13a6bd77258a559ff193a2e3bc19b6d4339ffd06d2f47569e
SHA512ace89e18827953ccd61af94ac49cc3b1005be3ab0ab5a44c28d690b33bbfa89c2e4e34970d3a8898e65d63f9956747708e2b64afa21c7fe5799131702fc45850
-
Filesize
29KB
MD5685c1eade930e2b40f02f98328fca44d
SHA1e42f950e1dbed069d7c337c9ff09f55fb90afdf6
SHA256ec85087f6830b71f106871c59dc8ffa0de91cc3d8ce8c269b7264359d9b4e80b
SHA512aceb433536f6f8f684219c2d62b64604175d1eb8fb0c3d0aba819c81b6793f2f96b2c8b13d7311f7513234d8d9e62dbb61750156d9ee8d8fdfdb7b5ec69262fd
-
Filesize
29KB
MD5189937260ddfd3b529ed1f5d80e9ac08
SHA170e63e7ac92f55228a81aae93960df6551cb65a9
SHA2561adfc8c1d730b305aa7b79973a2a9d7bd7437742e464de3671448b70658b860a
SHA512053d95d415ca3cbedae305eeb000c57978d96e6bb86319e6f600f7e3236ed95ae8b412d76494d1b4ab7f57956b4869799240b99b3f310dcda2b522eefbb6d464
-
Filesize
176KB
MD50edfdfc37d6e263002e8294424783c35
SHA1e7bf2e195ff32d5f6d5b09164de94e83d1f0f3f2
SHA2565b9c1b0aedcd82ce25b5f7d6ced6b38943b5c0ca14f09a27b4bfb4eb4f0204d5
SHA51214b4bd0a6e6ef26a4713cdb115f298d35530864b00a4c5a9d84c7e27086d232bca2ae18c58831a72ff687b4511735bb0669a5136b59b4813464bb25c384b123a
-
Filesize
63KB
MD5d7d46952778a85491b34f62991a060d4
SHA1ff30ef03867eb74f2454375cbe3508ee26b07163
SHA2565d1217e2c9e820c3e7b2fc28fab4e40d85e0e9f4362e66a451e42d597b8c2650
SHA5127c9b4c254a1977d1a16ac3aa8ce81d897eeda4465e51c9f0cbe2c03326cc6c3bb7acb89d8d1f4ce1dec03118574b57f30a3400b2dc47b70aa87bfd2f4f99f8bc
-
Filesize
29KB
MD59cc05ec9d58102696092dd1ab9103fc2
SHA1d4019f352ea64504a357c6447c56f79e06602131
SHA2562e05264acc620b4828ec23550351bdaa7cc429fb273ecc4450ea58f2b20b7f61
SHA512a74f5ebbe8f154857af1408aabc2fab30240ff5dd892d5aa9b510c63d51cb8c67605ff6c34459d620c10bb9d13085ac34072235b7bea274605014f9f8a7dbe55
-
Filesize
29KB
MD52407032a11e906cb7eb171d4e8256992
SHA1f6dfc9b6632435136167a16f8a5b23fa624246aa
SHA256b9347d22eab0264a0253aebcfb735ea687453fc85d9a906933673017abe4285e
SHA51255bed6d2c026c2f29a13f9d17e9c3d0594158cd8caab8a8fe9dd6fdbc5816efddf2c006489c062b7c191d5f6b40541f7d51d58da0353f5c9853162b13c8b325b
-
Filesize
29KB
MD51dae4ce0658e69e451d007200a69de1e
SHA1141f5b6c4ec400fe58ffdf384a08c138875ab904
SHA2562fb77c75a773abb9f61c6c918c2ad90d2f694a3f4822e0f934d9549b386cd8ca
SHA512786b69e5b96fd4ace34fa7226da9d4a0be7cd4f5b475116ac1a07d34a7a2891c5511fb3ff14540719a989e72d5c84c12dc7f0faeab108adb87746d6a611beb44
-
Filesize
155KB
MD58775af76bef724f22a0b5bb7c787a1cc
SHA139620f580705b8b214f94acc7d1c81bceec15ba9
SHA2569a8f461b55d753e7f66f3db602a29a079efe626c514920d933a471489ccab951
SHA512966de3d1d6463eb15ed0b1ad6e1902d343c1b587abecf4fa27798bd576effadbe99a7f787de320cf815dacbfb5795e3dff369802e13d95c96fcb9c54e32bf61f
-
Filesize
61KB
MD5f4407493019fe05f34b074539519ebc4
SHA1b3f5ff69ff4fee493440c133f033a0d05a6edd43
SHA256a5c1bdc7b8c0e456edac031568c8acca0524eeec7e91977d63c41c0a82c608c5
SHA51224668bd17617e038544ed5cc92385cba01ec1b70725930457a5deb6f4ef1a079e3af8d7f592dad851fb1685387daaf47cc02a6c406042dc7ec1f406d2ab3bfc4
-
Filesize
19KB
MD5cef141d894400bc2e0096d1ed0c8f95b
SHA11bcef29980686dc4cf8ff13f251f1ead7ba6e2d2
SHA2569648ffd2eb53744c5f78dc8442a8bcbbe9831db1e198be370a62cbf9f51cd896
SHA512794e7cc5a899407414bb3bbe2f2aadbfcacdeda2eb0381249b8dd5ed342534910b85b1450f509f1d6b36109efdc82eb3ef1eba36b76ce123b1034192d871d2d7
-
Filesize
50KB
MD5d4c5ddc00f27162fc0947830e0e762b7
SHA17769be616d752e95d80e167f2ef4cc6b8c3c21fe
SHA256b6fb6b66821e70a27a4750b0cd0393e4ee2603a47feac48d6a3d66d1c1cb56d5
SHA5129555f800213f2f4a857b4558aa4d030edf41485b8366812d5a6b9adcc77fc21584e30d2dd9ce515846f3a809c85038958cb8174bf362cf6fed97ca99a826e379
-
Filesize
29KB
MD5a7a746707ca4e136585570eef6daf2d4
SHA150705953b5184d8c0fea9c10619d765648976b78
SHA256d3cf09c638fb94b81343c94dd1a9d7ee385a5240a1f3d78fc70dc591b417999d
SHA512dc97a3cdeb599c976bac9ef4e901c97e4bf02035b6ea60c0e8d9a288b220ca66545a4810842623574293ff09bd4c60fdfaa878fd4e7aa2dbd493d4f001fb0ce5
-
Filesize
139B
MD57e3c8627a5f7d7b9a8e54541bf4e1eec
SHA192907340746a489ba6bdc1a887bf68b160057a3a
SHA2568701c0d8266cefd9ffb4006a278e9d28963e90e1688f5e1f5c65db6a132be733
SHA512cf06e93ae7d4942539d5dbac9253c696663c7164697018c5bb9d2b92bfb27eb25a861acaadd81506c124f0ecd43230343f4c2f3257ed9106907bc0270494ffb4
-
Filesize
28KB
MD50cbc2d9703feead9783439e551c2b673
SHA14f8f4addd6f9e60598a7f4a191a89a52201394a8
SHA256ea9ecf8723788feef6492bf938cdfab1266a1558dffe75e1f78a998320f96e39
SHA51206f55b542000e23f5eeba45ea5ff9ffaddddd102935e039e4496af5e5083f257129dab2f346eeae4ee864f54db57d3c73cf6ed1d3568087411203769cf0ddd66
-
Filesize
29KB
MD5cc65ad514684506f9f22c71d94c537ea
SHA136e2bf3159d14552279fc1b80db80a8c177925f4
SHA256d215b8cc095e913f2d3adbd88ae7691be657104dd52340efba670d04eff1e368
SHA5125c505b4c49df8e7e83af47719f79018358a39f1df552b2b90dda244b1e41a30559cbe66b1d415a836f403452c5493b26e28ef170376eb5f1a310733e65d8eeed
-
Filesize
403KB
MD5b8cb1a1d76fe3fd71ac5b5fc175b699d
SHA1611589181cb1bb72a279e44116fa3ed7c1256ded
SHA2566d0b37a62e1d2215e2fd8936d3d1d13cd1d620d7678c773e013e70ccf55a674d
SHA512280d2dbb4702498e11879c1fbf62c6eac8a2c97c2cc520f310e658ee5162329e24ba23d752ba8f549c0ffc85d5c83781ea1c10788ad6546258f83ed9c3c2cc25
-
Filesize
61KB
MD535be497312c0fa928c92fa3e2fca1783
SHA10adbaa1b4d0b9cccb45d0d50021035e254409beb
SHA2567ff23f4e452d1073547790f12070518b20bb4a305effebbb90212ce141d64e84
SHA512211643da52801dbea616e1a05d38c4ca4069d96cb50ee6c9ea6ecc43d6abc16750d4f19814061c8f48c924b6c61ae2d93e36a6a0d4493446fa7c1538f4f958a4
-
Filesize
23KB
MD52490eda5b4450138ba79f39fcc90048a
SHA1f8af994fdeeb8afbf7d95e816da389a7eb09806e
SHA2563bc2898da9cd9e202b7795b330fa3daff81a4b02ab4ecfe47fdd712c53252f12
SHA5124f96028666bcb0a80730e8429082c2ab839fe8662086ad9735641fe8e55d51f909171124b1500c1da4065f26a9d3118c8b6c24d1827d12c5c887cd1e358a2d58
-
Filesize
12KB
MD519967e886edcd2f22f8d4a58c8ea3773
SHA1bf6e0e908eaad659fdd32572e9d73c5476ca26ec
SHA2563e5141c75b7746c0eb2b332082a165deacb943cef26bd84668e6b79b47bdfd93
SHA512d471df3f0d69909e8ef9f947da62c77c3ff1eb97ac1dd53a74ad09fb4d74ec26c3c22facc18ec04f26df3b85b0c70863119f5baa090b110ab25383fcdb4e9d6e
-
Filesize
29KB
MD5c78f9243c3e40ab2f4198a61538c7efc
SHA1e9944ff9f066c8be968f55e319667f27bc41d5db
SHA2564c19b629100abd685a936f1dfed09dab57c69733e9547ee1a9b9fd1d19d0f6e8
SHA512d1ca85d6767ea1ebd5ebdb2e9822f04a59404d3d61c4579f01704633c9d1fa12a783447a781808ed840523ae5884d984ef95a6f3663d3e6d1ef1c13829c2ad4b
-
Filesize
29KB
MD5771c11ce7b5e13bc7415aab054af9e4a
SHA10bf166884a46b66471a4e03517d14cb1efa37e5c
SHA256712626ed1ae9b07a876300ee93619e76834b9c2e64d724bcc1daef3060d6cdaf
SHA5124b7097f4e0d3e2736447ba1ec7ecbcf304cf6cfdc955841f780f35585cb0c9b71600273ee21a8b34ab337a279d857a899bc078eff3b6cdadfc6f0a8c6fb4220d
-
Filesize
28KB
MD56c2210ba180f0e1b9d831c3c6c14c8b4
SHA100bebdf704f4cabf254583c6ad87c6e72872b61a
SHA256501c36ac282029ccf7950a4957d4c10ea72fe18f0ad8d6daeabfe628fa4070a7
SHA51226a63ad05199cf45acd7519fbc63945097b4c4a89bb2cdfa4f87ba004e1ce106220b0b99419e656de26d164265b3868a9ce541c71b05d4e4db1a9a1343130e9b
-
Filesize
93KB
MD5119a6168e0005b5b1d383cfa08c58aef
SHA129e83d03cdfcb266152099e2f476d778a1f190f0
SHA25638d8da24b5b026545974e0572c9c2a79aba8f1672d9ac7dc8bc971ae609d39fa
SHA5120f8f93de6d698c06599f125afa3e461d349a28bcd55ee80f2629c4546442b41bfc8518d0d18dd9ec8cb9b663c3ebdcb6dcfdaa87ac7e00e706dcf73d8d0d89c1