njrat | 585137c99c22cd0b08e725b6f995a85a233ae31b118e30486bfbf2bb98d39a0e

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.exe
Size

93KB
MD5

b4378a070bfed34faa41bcafe7a876b7
SHA1

4129b0e4742f0713d8e264f34272dcd2e560305e
SHA256

585137c99c22cd0b08e725b6f995a85a233ae31b118e30486bfbf2bb98d39a0e
SHA512

e33547a869ba9aea236ed664bf1f69d75e9c260c9392deb413dd6137703358f5f633286e443d5ab8c1fb8286cc3003f17fdad7c0a1939ba93d415d731ff76b1a
SSDEEP

1536:wdwC+xhUa9urgOBPRNvM4jEwzGi1dDlDMgS:wdmUa9urgObdGi1dZl

Score

10^/10

njrat fucked discovery evasion persistence privilege_escalation ransomware trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

fucked

hakim32.ddns.net:2000

fat-pads.gl.at.ply.gg:35059

Mutex

1ded3b4c35b07f633f7f88a8380c030d

Attributes

reg_key
1ded3b4c35b07f633f7f88a8380c030d
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2812	netsh.exe
764	netsh.exe
872	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ded3b4c35b07f633f7f88a8380c030dWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ded3b4c35b07f633f7f88a8380c030dWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	123.exe
2844	123.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Capture.PNG"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73840911-C06A-11EF-9906-CA806D3F5BF8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7388F2E1-C06A-11EF-9906-CA806D3F5BF8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{736E9CB1-C06A-11EF-9906-CA806D3F5BF8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441036673"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1940	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe
3016	server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3016	server.exe
1940	vlc.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: 33	3016	server.exe
Token: SeIncBasePriorityPrivilege	3016	server.exe
Token: SeShutdownPrivilege	2116	shutdown.exe
Token: SeRemoteShutdownPrivilege	2116	shutdown.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1960	iexplore.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe
1940	vlc.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
1960	iexplore.exe
1960	iexplore.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
1940	vlc.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
1932	iexplore.exe
1932	iexplore.exe
2072	iexplore.exe
2072	iexplore.exe
1524	iexplore.exe
1524	iexplore.exe
2932	iexplore.exe
2932	iexplore.exe
808	iexplore.exe
808	iexplore.exe
2644	iexplore.exe
2644	iexplore.exe
2164	iexplore.exe
2164	iexplore.exe
2424	iexplore.exe
2424	iexplore.exe
2980	iexplore.exe
2980	iexplore.exe
576	iexplore.exe
576	iexplore.exe
2220	iexplore.exe
2220	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3016	2844	123.exe	30
PID 2844 wrote to memory of 3016	2844	123.exe	30
PID 2844 wrote to memory of 3016	2844	123.exe	30
PID 2844 wrote to memory of 3016	2844	123.exe	30
PID 3016 wrote to memory of 2812	3016	server.exe	31
PID 3016 wrote to memory of 2812	3016	server.exe	31
PID 3016 wrote to memory of 2812	3016	server.exe	31
PID 3016 wrote to memory of 2812	3016	server.exe	31
PID 3016 wrote to memory of 764	3016	server.exe	33
PID 3016 wrote to memory of 764	3016	server.exe	33
PID 3016 wrote to memory of 764	3016	server.exe	33
PID 3016 wrote to memory of 764	3016	server.exe	33
PID 3016 wrote to memory of 872	3016	server.exe	34
PID 3016 wrote to memory of 872	3016	server.exe	34
PID 3016 wrote to memory of 872	3016	server.exe	34
PID 3016 wrote to memory of 872	3016	server.exe	34
PID 3016 wrote to memory of 1960	3016	server.exe	39
PID 3016 wrote to memory of 1960	3016	server.exe	39
PID 3016 wrote to memory of 1960	3016	server.exe	39
PID 3016 wrote to memory of 1960	3016	server.exe	39
PID 1960 wrote to memory of 2192	1960	iexplore.exe	40
PID 1960 wrote to memory of 2192	1960	iexplore.exe	40
PID 1960 wrote to memory of 2192	1960	iexplore.exe	40
PID 1960 wrote to memory of 2192	1960	iexplore.exe	40
PID 3016 wrote to memory of 1940	3016	server.exe	41
PID 3016 wrote to memory of 1940	3016	server.exe	41
PID 3016 wrote to memory of 1940	3016	server.exe	41
PID 3016 wrote to memory of 1940	3016	server.exe	41
PID 3016 wrote to memory of 2572	3016	server.exe	44
PID 3016 wrote to memory of 2572	3016	server.exe	44
PID 3016 wrote to memory of 2572	3016	server.exe	44
PID 3016 wrote to memory of 2572	3016	server.exe	44
PID 2572 wrote to memory of 2116	2572	cmd.exe	46
PID 2572 wrote to memory of 2116	2572	cmd.exe	46
PID 2572 wrote to memory of 2116	2572	cmd.exe	46
PID 2572 wrote to memory of 2116	2572	cmd.exe	46
PID 3016 wrote to memory of 2968	3016	server.exe	47
PID 3016 wrote to memory of 2968	3016	server.exe	47
PID 3016 wrote to memory of 2968	3016	server.exe	47
PID 3016 wrote to memory of 2968	3016	server.exe	47
PID 3016 wrote to memory of 576	3016	server.exe	50
PID 3016 wrote to memory of 576	3016	server.exe	50
PID 3016 wrote to memory of 576	3016	server.exe	50
PID 3016 wrote to memory of 576	3016	server.exe	50
PID 3016 wrote to memory of 572	3016	server.exe	52
PID 3016 wrote to memory of 572	3016	server.exe	52
PID 3016 wrote to memory of 572	3016	server.exe	52
PID 3016 wrote to memory of 572	3016	server.exe	52
PID 3016 wrote to memory of 1048	3016	server.exe	54
PID 3016 wrote to memory of 1048	3016	server.exe	54
PID 3016 wrote to memory of 1048	3016	server.exe	54
PID 3016 wrote to memory of 1048	3016	server.exe	54
PID 576 wrote to memory of 836	576	cmd.exe	56
PID 576 wrote to memory of 836	576	cmd.exe	56
PID 576 wrote to memory of 836	576	cmd.exe	56
PID 576 wrote to memory of 836	576	cmd.exe	56
PID 576 wrote to memory of 836	576	cmd.exe	56
PID 576 wrote to memory of 836	576	cmd.exe	56
PID 576 wrote to memory of 836	576	cmd.exe	56
PID 572 wrote to memory of 808	572	cmd.exe	57
PID 572 wrote to memory of 808	572	cmd.exe	57
PID 572 wrote to memory of 808	572	cmd.exe	57
PID 572 wrote to memory of 808	572	cmd.exe	57
PID 572 wrote to memory of 2932	572	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:764
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:872
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2192
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.mp3"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A45.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8AC3.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B03.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 USER32.DLL,SwapMouseButton
      4⤵
      System Location Discovery: System Language Discovery
      PID:836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B13.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:808
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2932
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:532
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2072
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1524
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2316
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1932
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2644
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2136
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2424
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2980
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2164
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:576
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:1520
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      PID:2300
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:2748
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2220
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      PID:2408
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:816
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      PID:2956
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2956 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:688
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      PID:2080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B81.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd3fc1590494b2b8794ee1491f5d80c

SHA1
e21eb67214e2e520c61e8584c897d073fc030114

SHA256
08a903893ad3f5221d028d109b43762c80be506ddb98a90264bdf436faf43f40

SHA512
b7e731b49930312844e3ff02603b9e8c502c4cef408a30b6b307cf21b8110e88b81c0522cd0fb1e46f556663aca02dc4a1823b241c15052df9f1d2c081b9256e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdffdec95e76bb6f03ae03ae6eceefb3

SHA1
21133510381146f9131373fa0d0d69f72f267ecd

SHA256
83d327461ae7e9671e573eace760a90ab3ee57152d99c1e99e341cdcd5450a87

SHA512
c4227309e9f59bba0b662ccd7804be5d0cb68a17fcd8649ff8ab9d84fea2b04a99753600ff018d8eafb65f7d4f8c180306be90edd7a8c5db6ee0e51db41d0bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83008a0333c5b36b2dd2a8b0d0226f3c

SHA1
be707048dbe841d6f40044561cbebec2b74ec011

SHA256
9a0030a377803129b4400ef5c319f47f97b4d7be77e9f6f38e81cc9e21ab0d4d

SHA512
4716f6894b801b311cb31081f98a7d41f5251e34bac229b4c4ca66d2e328e0e5324262d649adf199345801c086eda10dc1548322cba34cc95ab3b35eada8af0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15d60b60ec211bdf2699540d08dd932a

SHA1
686e72bf0c831af08df72af519ae785729f1ffa6

SHA256
8a8594c38a1d99e716f0bdccef596039989ce213f901a9dd9a998591ce1c93e6

SHA512
e1d117e3b2a367605117081034abdb3652640fa6499f402a48c3cb7e1e04e01af9059139b784423267e6bf445ce1d59fad7dd91a98d801a02f13bbf5d56fa5cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bb25c232b6900129a9297467020f291

SHA1
20d51430b064cbd859c6c163c2d55dc72f39d36b

SHA256
f6b2eb03a712c463c4ee2f51520df90fe73824361046972239331914a71f4f89

SHA512
f7a6543cb32f6691ab2766716235e7531b53cd83c481dc7294df75325f1f6c029e9c2f460179efccd54387f51745fed12bd3c382388ad95dbfadf285629f16ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
781d3c7f7fdacb2e2cdb631e5b2ddd79

SHA1
3cd996524d45333c7a446ddf373466e63c5dd31d

SHA256
8ba35e1b1cec925f62c3a2635a3d7f8f51ceef97fdb62fb0f489d1113d6adb59

SHA512
b6013b94d18de689cfbfece913c224d9010623baa6ec1fabd679b076a10a8dfd71caf5a308215cc20344121c12f3e6831a23f1f76b188f7b0a733520e2c9ec0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa1e89d74e7d6b6baf33bb68823e6520

SHA1
9a92e67cff09fe0b383ab5b3c64d5b6861481a39

SHA256
1c96d98c3e525e54ba477abdcb65319c5b7fdbd6f9ef27eff8973a8bd8689d1f

SHA512
5e34ecc200bd549e06bcc875718588572b25d7bf2edf321b63ca3190240bd02aa828833ae0d085af10895010c6890162a1ab727b2ee822bfd4acbf79ee9c2d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c31b9093b1857495da277504f33771a5

SHA1
63685bb59f081fc830d245236b10f180481b7ccf

SHA256
808595bd03cec7cbb96fbf83e2c4c7606150559bc35f6837cf881820b17df195

SHA512
a9679fb8319ad525f3ae6f5ad2a56cfa4db646e89c753f04e6c0ffad0ec4c0fc33849d78b60c5381187dc5b2e309a333ea8b8649fae91f900a19d6f339ba5cf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2d2bb86560af2cfd276ca6c71fc409c

SHA1
99ce4d6af7ef29a57dcec626e81b98f494952111

SHA256
a7fb08aeefd3eb5cb330ba658fe664564d12d5e06ca767d74396e7b4366aaacb

SHA512
d1c1bccfb501a390612fdb2d1c308fc62da408fafb473efbb7921c7d2c911ae9f41d0b200e8601a74b899b6b600bb134e615be669859aeaaaacf39e6cb3c8763

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ad2bbe0d0b942678447ab56aa684eaf

SHA1
b06a5e05d1870335616a1d499cc56b66da85ce9b

SHA256
c32473893583b54510c9cdf92e8313b34c52b48fc485142fb87e8e1eac139bf7

SHA512
b528f44db18e6c39f087df4548aa95e02aa00f0ef19eac94e48e7e3d60b510efd13f404755f70375b91b1075645266cb6c5f1c8c6c8006243035a37f1a32168b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2298ac29fc63bc1783c6079e32fca93

SHA1
0df281cd861461002615cc925d00758511323368

SHA256
d175f257ee5fab77de9415133f9082d4e55c982a6c63c6802ca33a5a521560cb

SHA512
5d120eca639071ca574e75e45f8c863dc34a28f6578a0d1b2a1561c4592c5b4b3653e0e76540c73ec1d0f2942870d7fb837f42591105e75bdcb73e7596c65851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34d6b9d0742326031b05ceb8d5225496

SHA1
ff878d211cad2340079051accc8551dc706f160a

SHA256
dac93b08d2758d82570a0400f5988edd5c073f67470495c52af0e96d708515db

SHA512
be9d531197c85d99e632282aa6dc0971f4d2ee7c2b8a9b2032d5964de8acb74ff739667e41c9c7c4da0878a7bb5fce615192398dfdd6089638492a8dec19ef10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b10ecd979368ea504c35db11bdc09e4

SHA1
6d9d51cae7067d74da664c995481fc4c461eb5a3

SHA256
ec9b04c6889ff5c6aabe9775861278b4b3e5828de5c4578c15ec2bf2a665b40f

SHA512
f5272505d9ee766d3afc54878af9067d4fe469c412517344a54f92f98a1d33a00a971b76feb78c23bdf97b52ee1ef01a8afad8b1feeb60c6b7eb8c0be5b0eb04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17de1583b3e32da59f6269d12bf772b9

SHA1
861a9df80b454cc9378c46e846551a994c6a2455

SHA256
dacb26250483dcdc596afaf20b59b00111e73be22866be362064d8915943e120

SHA512
d714a32ce44197a88b1ea8a88a00fa7bae34200a8aa6381c1ef81db0d55f7571b22d5561e6b3c14e4475a08152a78dbcc11624bc5752b8f0157ed042beb6575d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99c6b2deb0fbd36af95cedb645fb5461

SHA1
cca201f052bc32904726e6952b8486d37184e348

SHA256
fd5c54e06ae0dba2e14141bc769c52730107db3a1b512fe749d8bad2bf9a72a3

SHA512
1d2d7cd68fb18a287da3cd35b2f323f31a5d733c0016e18499af38fa6c3ab120699cd4d6eeafca9bab600550e1f70810c8e9b0b3545f62a1f4ee59007ed27cd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30d732a3297403acfdb9b3b3e73d78c9

SHA1
a1b18e2d3c1e54bbe76edf5cea5006e7c9e1581c

SHA256
ed5be44856f9c6ad959fc624341df354ed08320d693ff039cbea492de62d214a

SHA512
106257779f210075cbd05420428a09aaa6d4c3ddb13048c0b7884d5014cf1d87da0e5adf9bde84d4f4f22d33ed0bffab9ca1b67b84f1aeefcdfd0e48bbcb177f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e8b9524ce699f29d7608033d82209fd

SHA1
995203d93fbed552a75e912741db24c6d7e08877

SHA256
75bd56f4057a991aae2722738c1a9b5beddcbc28ff0d13e17b356d158f035265

SHA512
aa51a0fae28aaa499ed4e4aaf7a7552efdb56315991eede57948d76b7730cd316dfa795736dde8e77d5cb409b8fe0ebca357116d5b5bc2a38afe60480f3ea0e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeec353f69aa359f89d55d36b78af086

SHA1
e456f0424f45d7e31d903381a5fc48813f9ac786

SHA256
0ff1ba1ecc914a05e32cbb6f85dbd44a2894b8fe272f5bcc4d59b4ae2c8d36d7

SHA512
29c4fa26ebf48b83147e263d11ebb4457feb1c1bb10446a37ca6fbc5002cf88393de904087549229ff2a2afa5dbfca95b9bf4816b9fb120f738ad5b13bf05ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba1ae4d36715c932bc67073fd2e793b0

SHA1
d569eca0d636bc5380bdb04516654a251377c53d

SHA256
dbc929276cf01e872dc40eadd9ff5fd57db720e1c3c9ca43ff4fa14a558f8a83

SHA512
ffcd2817c197c198692ae01d05ad08ced1485f45d5ede212190f9b66e98c562aff67beaf6d3af99b09a6b4367c171bea43bff9962897c598511e5f51b515c315

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e55123c011f6e7a17b6be478024a3db

SHA1
b92a120b7f5512e497f76c5edbf6f558a703e59b

SHA256
a0e3275a317a7aa6b28d8cc713cdf4c5341fbd96f0dd77c2898fc7af221f2035

SHA512
526465437f02465df95284cd9ee8006ab27963e554e78b4b0217d45e3d97aaf966119d374458f2b6e2f8ca6630131447fddf7b0ba878a81085eb37205a7ec78c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5221b3e99c475c93a2ef62e235c3cf79

SHA1
fe87d47efd92e9566b962b909efb22449ef55846

SHA256
798eea2e2056c387aae51e11cafa11515a83290f84caf3760692dfb40ad61fbf

SHA512
2797ad9653192bebb491fb4630addea2b48cf7600e340ffced7c50df7d58de3888be245d0023f04e38164648c36be2473d86ce508c30f714e8d82083077cc791

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ce0e9fc6d7f189042b88d39c2d5d0c0

SHA1
566d21da57120917edbe41055f0af6f02f574fd8

SHA256
3f7c3657a6b50cca0b4aede64aad4a71abf4de78399557ee2103b2de559f2028

SHA512
9f5d52df6cb2251ea698af70dcdaf58886566e0c2c4f2b93aac9ec4332ec06976929ad4fb7aacd6c17405cbfb6ee73b92eea361b76c1223b53755c7a5cb54c94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7eeedfb6a51fbf1dc5e11438676359e

SHA1
836d4e7ea249f7129647afffd5178df7246074fd

SHA256
244e8bf46dbcfa9033af8374d5550cbeb7c860c9e20f8d30dc9a083227f7ad02

SHA512
295e6ed5f55e4fcc0e50a29ad63c3930985a1b3558408736db2213c628741576f3ed10daa89451138249288d910ea1cf8477091e85b265b3968a37a481ff605d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c70b2fce635cbf70b979cd063d2c068

SHA1
dc63e4c2430d3452126b8cc03d6e402105b8d8ae

SHA256
e73dcacc30d7eddbc59cc14f8c992bf8cbcd8f7fce8f3e4b7f8d41fc07483bad

SHA512
3d9254f9f0ca7ff5fb7255cd1e4461a2fb27c7e2de381112c8126d4ec2b2dd32bb8c49ab933c9d3a2d7ed519620af75babb4d799f46f9972d7c998eeb6b7d034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b44cff4feb44fc18becc4f9fad63d495

SHA1
19ac173f00ab6f624a633037638dba81dcb0ec29

SHA256
7eeb45d5d1258fb06360398c2bcb2492c2a56dda758d1d80628e65abe359d8ae

SHA512
98fd4426d020cad6bd7e0615843778b4d197445093827020450bb1901792088e63653bc87389def20ce3c03ab0ddb39585fb6b0b5d1e4ec5b7cd895826810fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7388F2E1-C06A-11EF-9906-CA806D3F5BF8}.dat

Filesize
3KB

MD5
28b326ba790e292ef3f376a4231b222f

SHA1
530a36577a804f1f1649445e96b5bfae2b332872

SHA256
220c6527abed2a2cd2dc6a4841b1c12f3b45f82d1a181dcfdfc760f4241cb8f8

SHA512
da123b66c54538df0d485a973c7d807f8c442476d758710733820963568d30d4ed2fbe0973d86d93ee6bece0b0d708f9a80f7d22a23b66ffc1550c6005955dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab43F6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44C4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A45.tmp.BAT

Filesize
37B

MD5
1cbc3a2f81d4259e3bf61249711fec81

SHA1
7ba62560df466c6dcd794854a25aeb5b088968d8

SHA256
6a207f770478d59da0d2aa43a9719ef05b3f85c8c700400746ca3ab0463d08f0

SHA512
74ba85a391d769686c95001af6e29f9fe2ccaa4d119247fac31e65c8becda7be1ea9fa3eb9f2a06c1d48ac4b580ad8e63c14e06d94e8dd07b26129df7f1f4bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AC3.tmp.BAT

Filesize
183B

MD5
ab45b6913751e20d60d6c9a44a229a66

SHA1
fbf98231ced1c5667bb8b83114ca2f83b044698f

SHA256
71385e3fb017bb452466ab1ad8764950c14a7af856d0ee8c147cf8f7f073b2ec

SHA512
b462bd82a58ff51d3351ae5168028439fe3dbfbaeb2465c8b300419fb5d9115eb2091aa6fe4e11cf30ba9ee37e3ef175211e5053d6fc7a3398deace787180f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B03.tmp.BAT

Filesize
67B

MD5
1cc401169ef8cf1e8977f4e92dfe72c7

SHA1
d04c32295d4e563978fa0abb1b32ba52699cb08d

SHA256
32c699ebb7394ddb2d56f092ef10fde4d9f4bcf808dbe11bad777e7bc73f7aae

SHA512
076eb06d9fbf8bf1d6a4c5043d803ee7b5cf0307253de6358f8ea70e0bf240f5ae2208fbe9a44778e782e29c54751936f393ade6e292064d2134ed223506866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B13.tmp.BAT

Filesize
83B

MD5
cc795c9c4a83aa1ede067f96f1eb8d15

SHA1
32b8e1c43787353f7d87514e279288aff5f7d4f6

SHA256
37d23694738615464be8a3234bcc59592987432c8863db67e30385b8bb3ef450

SHA512
ec0b8f6600b2b0443ea6f271fcf16804e380b6f51f3f74997dc5c53ed28ece8ece58a12686b451532ed31941a67fa075305314fba7fa8555a7fb8cf6424c6fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B81.tmp.BAT

Filesize
76B

MD5
18dc60bfb068d99a80fd22499ec5f252

SHA1
4939c87a7ff6456971aa4baf517646d3df2a7710

SHA256
3be1adc56cfae9722bfa25df2ed2b112349b7aa4d8088cbf694e560dd9e53817

SHA512
890ba3a69f516df93154b7534f2530a5004f9d6ccc01e4f59a434e4c2c49912cc2630d34afcb24a60208173a089b8934ace4acad4cc587d21988a150d9ad32e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tempxxSD.html

Filesize
19B

MD5
53b9f8d6b89885849f2082ed155df5b0

SHA1
9698bf6232b9b0e9e9bd1a5c22a2e31cf1a7641e

SHA256
c8852b43797378fb4f911c2e010882f1665bbcaf037ba800d1d6de3329937488

SHA512
dd25d925585da29304f3b0ba6eb92463b9f25507ea3b0e306c891e441805210d9f02b451835f46d4d01ee0803f489bfbf5f0056fb47830f839d123be3cbf252f

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
d43c5b07c128b116b7bc8faf7b8efa9d

SHA1
dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

SHA256
80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

SHA512
618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
b4378a070bfed34faa41bcafe7a876b7

SHA1
4129b0e4742f0713d8e264f34272dcd2e560305e

SHA256
585137c99c22cd0b08e725b6f995a85a233ae31b118e30486bfbf2bb98d39a0e

SHA512
e33547a869ba9aea236ed664bf1f69d75e9c260c9392deb413dd6137703358f5f633286e443d5ab8c1fb8286cc3003f17fdad7c0a1939ba93d415d731ff76b1a

Download Submit
memory/1940-481-0x000007FEF5F70000-0x000007FEF5F81000-memory.dmp

Filesize
68KB

Download
memory/1940-473-0x000007FEF6F80000-0x000007FEF6FB4000-memory.dmp

Filesize
208KB

Download
memory/1940-478-0x000007FEF6400000-0x000007FEF6417000-memory.dmp

Filesize
92KB

Download
memory/1940-477-0x000007FEF6420000-0x000007FEF6431000-memory.dmp

Filesize
68KB

Download
memory/1940-476-0x000007FEF6440000-0x000007FEF6457000-memory.dmp

Filesize
92KB

Download
memory/1940-475-0x000007FEF69B0000-0x000007FEF69C8000-memory.dmp

Filesize
96KB

Download
memory/1940-489-0x000007FEF5290000-0x000007FEF52AB000-memory.dmp

Filesize
108KB

Download
memory/1940-482-0x000007FEF5380000-0x000007FEF558B000-memory.dmp

Filesize
2.0MB

Download
memory/1940-495-0x000007FEF4080000-0x000007FEF40FC000-memory.dmp

Filesize
496KB

Download
memory/1940-496-0x000007FEF4060000-0x000007FEF4071000-memory.dmp

Filesize
68KB

Download
memory/1940-497-0x000007FEF4040000-0x000007FEF4058000-memory.dmp

Filesize
96KB

Download
memory/1940-494-0x000007FEF4100000-0x000007FEF51B0000-memory.dmp

Filesize
16.7MB

Download
memory/1940-500-0x000007FEF3F80000-0x000007FEF3FA4000-memory.dmp

Filesize
144KB

Download
memory/1940-502-0x000007FEF3F30000-0x000007FEF3F41000-memory.dmp

Filesize
68KB

Download
memory/1940-498-0x000007FEF3FE0000-0x000007FEF4037000-memory.dmp

Filesize
348KB

Download
memory/1940-503-0x000007FEF3F10000-0x000007FEF3F22000-memory.dmp

Filesize
72KB

Download
memory/1940-501-0x000007FEF3F50000-0x000007FEF3F73000-memory.dmp

Filesize
140KB

Download
memory/1940-499-0x000007FEF3FB0000-0x000007FEF3FD8000-memory.dmp

Filesize
160KB

Download
memory/1940-472-0x000000013F350000-0x000000013F448000-memory.dmp

Filesize
992KB

Download
memory/1940-479-0x000007FEF5FB0000-0x000007FEF5FC1000-memory.dmp

Filesize
68KB

Download
memory/1940-483-0x000007FEF5330000-0x000007FEF5371000-memory.dmp

Filesize
260KB

Download
memory/1940-474-0x000007FEF5590000-0x000007FEF5846000-memory.dmp

Filesize
2.7MB

Download
memory/1940-484-0x000007FEF5DC0000-0x000007FEF5DE1000-memory.dmp

Filesize
132KB

Download
memory/1940-485-0x000007FEF5310000-0x000007FEF5328000-memory.dmp

Filesize
96KB

Download
memory/1940-486-0x000007FEF52F0000-0x000007FEF5301000-memory.dmp

Filesize
68KB

Download
memory/1940-487-0x000007FEF52D0000-0x000007FEF52E1000-memory.dmp

Filesize
68KB

Download
memory/1940-488-0x000007FEF52B0000-0x000007FEF52C1000-memory.dmp

Filesize
68KB

Download
memory/1940-490-0x000007FEF5270000-0x000007FEF5281000-memory.dmp

Filesize
68KB

Download
memory/1940-491-0x000007FEF5250000-0x000007FEF5268000-memory.dmp

Filesize
96KB

Download
memory/1940-492-0x000007FEF5220000-0x000007FEF5250000-memory.dmp

Filesize
192KB

Download
memory/1940-493-0x000007FEF51B0000-0x000007FEF5217000-memory.dmp

Filesize
412KB

Download
memory/1940-480-0x000007FEF5F90000-0x000007FEF5FAD000-memory.dmp

Filesize
116KB

Download
memory/2844-14-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-0-0x0000000074031000-0x0000000074032000-memory.dmp

Filesize
4KB

Download
memory/2844-2-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-1-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-31-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-17-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-16-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-15-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download