njrat | 46c75b74d21515e607a66db4dc2a04aebf4c03b5f885e2008f7ab2238a87c334

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
Size

11.7MB
MD5

9879774208b15b338883bb3e4b3b1f67
SHA1

f3c6bfabe12989b0937c007298593ce753528525
SHA256

46c75b74d21515e607a66db4dc2a04aebf4c03b5f885e2008f7ab2238a87c334
SHA512

61a3ee21ff5b413d0856f17fe56b760061b9f819d5d9ba5a6451b01e5ba8f881bdf03b80587912c27a2ea5c2f1cd60e7b4f84b80b07b589e838be092ac117cfd
SSDEEP

196608:310dD4Uk+mdtvzgLvEixiwPj8DMw1046pdHK1MVoK4JH539q15Un:31yDJmd6LvE4vOMJd9K1MVoKeH5NqM

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
640	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5b89d30b680a51dc2d00cd25b99c736b.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5b89d30b680a51dc2d00cd25b99c736b.exe	server.exe

Executes dropped EXE 9 IoCs

pid	Process
1036	fabric-installer-0.8.0.exe
1172	NOTanNot.exe
2768	MODS.exe
2940	System checker.exe
2676	NOTANVIRUS.exe
3040	NOTLOOSER.exe
1256	NOTVIRUS.sfx.exe
1132	NOTVIRUS.exe
2984	server.exe

Loads dropped DLL 26 IoCs

pid	Process
2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
1172	NOTanNot.exe
1172	NOTanNot.exe
1172	NOTanNot.exe
2768	MODS.exe
2768	MODS.exe
2768	MODS.exe
2940	System checker.exe
2940	System checker.exe
2940	System checker.exe
2676	NOTANVIRUS.exe
2676	NOTANVIRUS.exe
2676	NOTANVIRUS.exe
3040	NOTLOOSER.exe
3040	NOTLOOSER.exe
3040	NOTLOOSER.exe
1256	NOTVIRUS.sfx.exe
1256	NOTVIRUS.sfx.exe
1256	NOTVIRUS.sfx.exe
1132	NOTVIRUS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\5b89d30b680a51dc2d00cd25b99c736b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5b89d30b680a51dc2d00cd25b99c736b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	D:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTLOOSER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTVIRUS.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fabric-installer-0.8.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTanNot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTANVIRUS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MODS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTVIRUS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2200	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{549BAD01-CB41-11EF-9A84-E699F793024F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eaf9cd07cd8b644a8b8d47c3e766570c00000000020000000000106600000001000020000000db8d11f4a58d158ec7a185e8745309d22eeeced17f9bb5552124b0431df0f1b8000000000e800000000200002000000098659cdbbfd1780d6600c9839692a715fb3d43fc64c48f2f4337abdab997aee22000000051e6b6aea82bcd0b0bcc0387bd1ab1f8ea2ef036ff407a722798c9b385bfe10e40000000fd5155c07dad850650c75f243b00b315fcc67aee4f1776ba70dff5667d345a5b3e89aac9e4a172d95589ce8a3199228bcbe7b084d3e7d9df1de217fc0a430e23	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442228560"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405c1b2c4e5fdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eaf9cd07cd8b644a8b8d47c3e766570c000000000200000000001066000000010000200000006955171bc2d3a49e7aafef3290e3344aed0075fbfe23446c123bc1db346bac22000000000e8000000002000020000000c8f502de7efcbde34247b01d27066a69440ac325d586a4a0ed5b1415152ffd8a90000000b68d431341c8c81c40dc7056e5a0f962f6bb8d9c1212a45c5099d04d74cab4ed5727dbcce808fb80bea2b99229d2da4a795f5e188b741007dc6c15fae5990005ae0a71f9d2ab27a8d152912dc5db97f9b48e9b37fbc4d2b4ef859f0e47182851f61f3e9fd6f6984f9ab18f78dda93e06c737b6bab4f5a74603a2418e0bd579e3d6f43bd7d14879c47ed3322ff7af3fce4000000085fa5db67905bca66bf3d4ab46c715317bce6baf0bcfbdd82cd87ab6766ba8218283c9aa311d9c4ed4ae6e0d01af9d3d8d5d011139f1cc0e44d744e1e009e09c	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2984	server.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	server.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe
Token: 33	2984	server.exe
Token: SeIncBasePriorityPrivilege	2984	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
280	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
280	iexplore.exe
280	iexplore.exe
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1036	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	30
PID 2516 wrote to memory of 1036	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	30
PID 2516 wrote to memory of 1036	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	30
PID 2516 wrote to memory of 1036	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	30
PID 2516 wrote to memory of 1036	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	30
PID 2516 wrote to memory of 1036	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	30
PID 2516 wrote to memory of 1036	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	30
PID 2516 wrote to memory of 1172	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	31
PID 2516 wrote to memory of 1172	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	31
PID 2516 wrote to memory of 1172	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	31
PID 2516 wrote to memory of 1172	2516	JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe	31
PID 1172 wrote to memory of 2768	1172	NOTanNot.exe	32
PID 1172 wrote to memory of 2768	1172	NOTanNot.exe	32
PID 1172 wrote to memory of 2768	1172	NOTanNot.exe	32
PID 1172 wrote to memory of 2768	1172	NOTanNot.exe	32
PID 2768 wrote to memory of 2940	2768	MODS.exe	33
PID 2768 wrote to memory of 2940	2768	MODS.exe	33
PID 2768 wrote to memory of 2940	2768	MODS.exe	33
PID 2768 wrote to memory of 2940	2768	MODS.exe	33
PID 2940 wrote to memory of 2676	2940	System checker.exe	34
PID 2940 wrote to memory of 2676	2940	System checker.exe	34
PID 2940 wrote to memory of 2676	2940	System checker.exe	34
PID 2940 wrote to memory of 2676	2940	System checker.exe	34
PID 2676 wrote to memory of 3040	2676	NOTANVIRUS.exe	35
PID 2676 wrote to memory of 3040	2676	NOTANVIRUS.exe	35
PID 2676 wrote to memory of 3040	2676	NOTANVIRUS.exe	35
PID 2676 wrote to memory of 3040	2676	NOTANVIRUS.exe	35
PID 3040 wrote to memory of 1256	3040	NOTLOOSER.exe	36
PID 3040 wrote to memory of 1256	3040	NOTLOOSER.exe	36
PID 3040 wrote to memory of 1256	3040	NOTLOOSER.exe	36
PID 3040 wrote to memory of 1256	3040	NOTLOOSER.exe	36
PID 1256 wrote to memory of 1132	1256	NOTVIRUS.sfx.exe	37
PID 1256 wrote to memory of 1132	1256	NOTVIRUS.sfx.exe	37
PID 1256 wrote to memory of 1132	1256	NOTVIRUS.sfx.exe	37
PID 1256 wrote to memory of 1132	1256	NOTVIRUS.sfx.exe	37
PID 1036 wrote to memory of 280	1036	fabric-installer-0.8.0.exe	38
PID 1036 wrote to memory of 280	1036	fabric-installer-0.8.0.exe	38
PID 1036 wrote to memory of 280	1036	fabric-installer-0.8.0.exe	38
PID 1036 wrote to memory of 280	1036	fabric-installer-0.8.0.exe	38
PID 280 wrote to memory of 1900	280	iexplore.exe	39
PID 280 wrote to memory of 1900	280	iexplore.exe	39
PID 280 wrote to memory of 1900	280	iexplore.exe	39
PID 280 wrote to memory of 1900	280	iexplore.exe	39
PID 1132 wrote to memory of 2984	1132	NOTVIRUS.exe	40
PID 1132 wrote to memory of 2984	1132	NOTVIRUS.exe	40
PID 1132 wrote to memory of 2984	1132	NOTVIRUS.exe	40
PID 1132 wrote to memory of 2984	1132	NOTVIRUS.exe	40
PID 2984 wrote to memory of 640	2984	server.exe	42
PID 2984 wrote to memory of 640	2984	server.exe	42
PID 2984 wrote to memory of 640	2984	server.exe	42
PID 2984 wrote to memory of 640	2984	server.exe	42
PID 2984 wrote to memory of 2200	2984	server.exe	44
PID 2984 wrote to memory of 2200	2984	server.exe	44
PID 2984 wrote to memory of 2200	2984	server.exe	44
PID 2984 wrote to memory of 2200	2984	server.exe	44

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9879774208b15b338883bb3e4b3b1f67.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\fabric-installer-0.8.0.exe
  "C:\Users\Admin\AppData\Local\Temp\fabric-installer-0.8.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://fabricmc.net/wiki/player:tutorials:java:windows
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:280
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:280 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1900
- C:\Users\Admin\AppData\Local\Temp\NOTanNot.exe
  "C:\Users\Admin\AppData\Local\Temp\NOTanNot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Users\Admin\AppData\Local\Temp\MODS.exe
    "C:\Users\Admin\AppData\Local\Temp\MODS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\System checker.exe
      "C:\Users\Admin\AppData\Local\Temp\System checker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\NOTANVIRUS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NOTANVIRUS.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\NOTLOOSER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NOTLOOSER.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\NOTVIRUS.sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NOTVIRUS.sfx.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\NOTVIRUS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NOTVIRUS.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        9⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM Exsample.exe
        10⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ab6d97d029f4a2c38d33c06037959e7e

SHA1
eafff243077c1d6efb265b78deab691fb16a9a04

SHA256
a3947f63c236acc93d98ea9bd76656d6987b5c12b40ed7c0625e2b0e85f7a265

SHA512
ec154a51beadb6fadce1a5658b3a4e0ff45767b00a8dc6de5c2f8eac7c283dc92247016e06cd3c912226896c22d550a2226331f8690e244f8a80486a05ae17f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eecbe6689e31fb6bcfefbd0bbc6aebf4

SHA1
80f6ebddb6152ba08ce3286996e56b441d71fae6

SHA256
0b7ab1a15138af5c45a1283911b99ab65c6f2e0a280b47f58164059508b46408

SHA512
7ca88222ca178eede700a42f1d1054eca50f2b484269bf7e2c0739b3b40d6b1d069d0fb5d09b33b63dc42e79a66ff4ce04c796bee0d31a93726a6c4cb34bd25c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a4ca4ac045b051007b791f074a14774

SHA1
53e426a87855b79db24ce309e7981a14f410c464

SHA256
730fc4ceb94d1c86b3d5bcfc570384af2fc5fdd1774c68d4f0e27b793de47900

SHA512
2f76bf00ade7e7b5190059bb0cd912ecfbe2a3dcf0b5f018905ed9cb237baadfcf03b9a61cfbf84ed69bb4866c5000abb9b5a920a0aded5b1475171cd1833b6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b20f90398ea7b1acaad82cdd7609b506

SHA1
fe2d8e34e2033a13dee3a6eb52591adde041faff

SHA256
cd56851ce72bd4ca9576f11620f4f70d9e0dd6af6262d23eccd113f8db45baf3

SHA512
fac3618a6a7c3a221b310b98e52fb9366a9360d6382b6b63176af8b7f1c0b847467a5c5507395ae93073b4ffc6fcb059f01490468a85a4c04f9c3ea5b14f3965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eca5f5a0a1a0219d074cb4e13afec957

SHA1
5aaa1ea57e4d4f6e8914e4ee3ec9da47ec03f4bd

SHA256
bd62068e717afd42c86f71b3a9fab097c8743a63a185c7a8cdee6e4e0fc4ba35

SHA512
7ede639b58046e8ab419d23e6afb5e7e58bb2b1ca4ad1b8cc2ce43ca331139d218962204b4bb3b7aa95e251ee8579b2ebd336d95123c92d9bd3f600e70ef6b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
421bd96f4bd18f4f564ac648d894816f

SHA1
b7032f3e23f9c05e2ebf28c16270d8e26251e6a4

SHA256
17d66f0c5b267ba4ef084d1e1ea9fe16555cf51222c4cba634d4f091a8396ec5

SHA512
be1040809945d37e049ce9880720c8b066af626eb46a09fa92bd2312ca76cb6c59e96218a4ae2218a266d36bfd1569e85d8b31d18bb5435db46aeb7aad45a010

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24fb256697e9083c7f7b3a6fc451b1d1

SHA1
6dad8c1ac0b10ebefc90d937d055f4eca06cda13

SHA256
e37b46a8fd49e9cbf1715a13f3d01ac937b78f2c2bf3ec506959f74acb401fad

SHA512
c7e1cb7edcbaaae804f2502916efcd514cdc395b6549bcf6dbe7ad2fed3576f1729bf05dfd2a87cb49313ef62d9d9953267a2a36e5836cab1ae4852082e1ddef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aebf2d62138eef2ba908d865bc0abf21

SHA1
d3964d488bc41c8553790ae21953e0bad57893fa

SHA256
d25530df91d4534bd14074dfdf9462f371cfeb80c5ee1f6660e8f75efcb16f73

SHA512
7cf3fa22ce2ee8f845bda4eb3448d6556615b578ffc0511eccb271c12bf216ea836e185aa7cfa27a17c273dc187c26dd0592b1de8c24305c1c8b0bc844cdda48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b9caeb71a4d7953fad5c67193d09e90

SHA1
3b06db05db8de006e2848db922e6b85d8ea21ad7

SHA256
cd307da30852d5ce512caec4c431bcb6adcdf363a500780aac2d375589da2a4b

SHA512
80cd560431fda31f327c4b94636d59a8496c9dcf29ba40165273278188c67c838f63feb8af193da24c6eab1c13c330f1063ac5f84ae7fb137a722ce1a32c7a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b08b0bb6c134ce4a663b6c1d44f0715

SHA1
9c3f0ad294a4ad4338f9ca474c80956f0bbedf3a

SHA256
a2351b3c19c54dda838a2614bf5b68a31fa2ca432a9bfbb09b706adba16a58d2

SHA512
0513977daf3b4a1e4c468db1bfe2f6d98ee03b6ef6e84d8ecbcd5c67a989f4d316b8bc0878afa0da55048c9a7beefbaf7bef77a2d5474e563aec5023e6529df8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9fb035148515a63a0161a70a32d112c

SHA1
85f20e00737f19a1dabe9625f33517b3c47df3da

SHA256
0e767156cda2104baa8f048f26378e43acc810388fc01aa70095b5dfb2b84f24

SHA512
d79d33f40612973927ab459712dc0ce8b49ca57f33ce9a9f6910d6ddc5d4d59adb1af48590b6ee9e89618dfcd15d8d488949e3690918c3a0f6297c5916da43ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a536163c456f9dc22b1f6b3e6ee4ba6a

SHA1
806d858f0bb6345d6d3fe9822da6ae6ef091bf97

SHA256
e645634c16f31989a09cc86d96b3fd77954b7c8d3da363ed5500e1f544c85990

SHA512
edeeaedc51c2e2af6f6d06d518df969d8863052f18d8adb34371bed4d4ec432b7016b35b4e711af6f3bac210d19404b4d0186a906ebaa0aa2525510d9143813b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c74131672fa52a64145dbf2b325a2502

SHA1
fa409662c4034d5a1036ed74f65c00908cc07a16

SHA256
44f58294250ec51a4c7c7d71753b51cd784e92a6023f09be1325878574893411

SHA512
161f07ff0b295c8e0b1aa96fe41ba2c970ba1048ac96339fcce84c1196d83f9c25fdef2b8bbc723100e3187cdd0dbff6996bdedd0d12ec5257231a816c168b28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
646177ba25fb74aff2d29097d2459369

SHA1
735ec74f6207b000c9091d651a005428728f7099

SHA256
43ee0f647f6f065f09318c5914b24bfa2f702dd5c5db572ccd0174ffbcf662d8

SHA512
f5da9ea38cce00db5fb7233053dddef3ed6dad96ecdd4e6d0367e4769e8b8bac1553b88b90468eb278048e5e24f61567a4e610a8394fd6bb384628545dcebd69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4749a70a0c74935bea7f7127fa1bc0fe

SHA1
44c4ea66997503e71c45cda4f20f8b75cb502019

SHA256
83e5d11d166395d1f7eaf1ac24850526f3cac01ad09d1625a031b9b7659c6351

SHA512
562a9ab7eff3605a6c7855a9968295e43e6f3a2f2253ce428a7afea85ecf47525e6b8442d0b2693431126a07f46785744bd9ac98a6445cf2b7913a7ae68a623f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbc80261b2ee6588f50d30103d5438fd

SHA1
46589174cb3cb3318e13544cde4f2b2bd95c72a9

SHA256
8b9bd24e007adcaec7df410c450059d0f88b301a1454276d93af40a3d6d4634c

SHA512
3b1b0dbfd61d054b84a2bb533281dbccca53464b74850e4f0be4c689764615fd58387df8fadbb72f79eda9726a19cbf1fa30f205fdaf3771557380350a795c8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0f6c108b1b491aca6dbb956e60e5912

SHA1
66f75afe608dab6e9cb84429177a768b0dc706b3

SHA256
3abcdef79833782b00841d628acaabe28041af26e049079f68c9c4d2d9446a39

SHA512
621050ddd05e4b8bcc5f78b2f91786392868641275897de98b69468d2b7fe23b1bf22f92d936a4378c2bd19d831f365fbedc8aa4b43d1b93bd064bae2efd7297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32873e4ac2ee70a27b85105fc9f23ad0

SHA1
53a664ddc4e6f87f35976b3f08529ec26c87125a

SHA256
93093d2de1d73720d595aa0be86c92453ae18689f1a8840d0c0aedf56b7f0711

SHA512
455b689df0776aeb975a388bdb21e403909fc0b210e0a413e3523b3d63b82b3b75c6a1f9fcd23486674214d978cb0093bb56e714b68276f4f1416126b74a0300

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
352cfc8ea0f828c4a40b9db069c83da2

SHA1
e9921cf6291f7a45694c993dd3bab65eb1e4b651

SHA256
f04e2fff2f07ca74dafa37c813b3273160a9cecba2a53fb5f9abfc0a76a536e5

SHA512
d87d92bd9dc86648d17e8c3fba430910fe447642efa7c465db4993ab88381614b66abe918184c869b59f18c4ffa80a319b77df49b6d891350da641c1cfbcf157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c3c84c19bbe684eee356c081921d6c7f

SHA1
b9b77a1e1e7e6b16b062701b23f427b518956d12

SHA256
44185345afb0243764810252533e6ca5b33bff2a4ad0d95635416eef02d17641

SHA512
b7aa797e160799374847d9ff58f98608ed5c8d77e07b12e2e5d0ac1729ffb9185a5736dcb13b44e8f04a4ba7ac0c6b9349ea567b8a98a6ed2febba63032f6340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\yiu0yt6\imagestore.dat

Filesize
99KB

MD5
7f00247fd0effc65cd4b6e90838703f9

SHA1
12716e2d320e877c400922171651ce560f40fa26

SHA256
85b9ad916e460fdb71a592ba602dd90d8ec382be14a2ddf43083c3384752d462

SHA512
5b94da72fcc35d4e1390bde1d4971752cf3ae69e925c94e463a13f21b5b428ec04410b0e820ebb0986449da76794dcda4497e863dadbe21bf5d05edbab008f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\favicon[1].ico

Filesize
98KB

MD5
94bed0e172b2d893f1a2e046ed9a9baf

SHA1
050d1b4d6752dd973ddb31beca55815e300180b7

SHA256
ad44b5a49faee0d955620c627d1710e662893688522e7051dfdae10b42984a27

SHA512
515e21806859deee755e617bf1ddb28b363b34e65b4cb6853764e6f53014d405184b6fdf333ae33722d8e7a69b8c93f401c5cacce0e217013237ffa475994fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab565B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar565E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\MODS.exe

Filesize
9.0MB

MD5
92527cbd8a40915461d54399f6067fdb

SHA1
924ef6c4ecfa77ff74690c825c8a2dcb0e1b833c

SHA256
3240795dd9214e9f92a1bc1560b9f46f2d703bb5154a646750bcebe095d48148

SHA512
fd41d707e4938767fbaaeff2bb0a8c2d5fe1d4f7638b4d599f7ca327065379c6288a22f70bc66099e9996b2137f62e8ab426a4125096de0f405c1a8ad93b584a

Download Submit
\Users\Admin\AppData\Local\Temp\NOTANVIRUS.exe

Filesize
4.7MB

MD5
849e4effcb9775993f20173e82433ff5

SHA1
233338cfe6df040c43fd225ed27eaf930dc8b8af

SHA256
abcc2e404458c1496e9446ebd697ca6ad530935f33eda155b06e052759bd598c

SHA512
aaf942c8c95a043fe1c10cd66ce5e962ac604b60017eb99a75a89f38c8f2bac7dd625427eba82f492a95291f831f73b30985fa7145df526ca8e7b70887a0f70e

Download Submit
\Users\Admin\AppData\Local\Temp\NOTLOOSER.exe

Filesize
2.5MB

MD5
f9f3ea1df9cae216e8546aaa6ed95fdb

SHA1
1720c4170ddad930aa94188d23e6749285c8cbe2

SHA256
5b2e319b409f5655dc5086669cf078622bb11ecd85fd9b3bf6a47031af647bf2

SHA512
a6e2c74bf90c8cdffe48da3fca833f70e2ca56ddab18225539f4e2933c398f4ac56f09224b734439f4b0b0d692b59efb3aa2e1cf741254e1f7e1d6f86a1e2235

Download Submit
\Users\Admin\AppData\Local\Temp\NOTVIRUS.exe

Filesize
36KB

MD5
89fd86be3a42e20b390c3f4b0651a0ba

SHA1
f1543e1be692db024f1800bcf7cf43e5921be1e2

SHA256
f007f1756a8aff5bfdc1aa84ee88e56b32acd948e5b12097bb93b989e658c58c

SHA512
8e2a87e4a94a485e64bd54a3d944a9b1018b51cfed207268e0f2ca1b7feb5c4ed2f8571b3ffd6946b8db0f861a863f047cfec5718f52a5d3fbe344aa81a80c35

Download Submit
\Users\Admin\AppData\Local\Temp\NOTVIRUS.sfx.exe

Filesize
326KB

MD5
d280d91dadcbc8d4cfa56410250c86a3

SHA1
03b0a69e84eb9eb2b0f9286faf14b1178e40643b

SHA256
60cf21a6663455edf240ae0e253cae326965aa4e3b2bf52fec8f181b75926e7a

SHA512
addd6cff7cf47c348111c3ebdb9a37e66baee9e2b522699d6d07977d328b72181576ac3f7a2f9bdd84baef57e971601e60dde76c1477e602c1b13a5d71bd28d0

Download Submit
\Users\Admin\AppData\Local\Temp\NOTanNot.exe

Filesize
9.1MB

MD5
98a517b99c8c361d58397a6c99ee8c31

SHA1
32b66ef4bfc386dc6bfb35af9922a3f8f1b19f4e

SHA256
75c317765dee954a0db6fa6a9461d95bae6ca0d0e01f6016a39684b9dc8c1099

SHA512
161ff276fe52409d1808ef34cfbb873de547b03510f7014930d3888452a43ab8c279bfcf729df2c6a2866f547d61357691da9fbb909374343543f1ad8dcc8e90

Download Submit
\Users\Admin\AppData\Local\Temp\System checker.exe

Filesize
6.9MB

MD5
1ddea56cc423c39b99178780efd2feab

SHA1
f383921429530184e406096220d6c24b54336068

SHA256
4d288f5715893122d463079643fd7eee3282bd7630444fffcc302446fed9f7e1

SHA512
0f536341a3b470cd59df7b63d1b9ef72e5dba05541a3705b3de04e2b16f2683372088788d3936fce2857fd816b55253dfde5ee5642a5da4ef1b702d1b615f804

Download Submit
\Users\Admin\AppData\Local\Temp\fabric-installer-0.8.0.exe

Filesize
447KB

MD5
9300d91f4958eae086fef390227289d8

SHA1
7f4898fcd26047e1ee5c470da0813e32bbbdd47b

SHA256
029fecd75b1b9305c2d2e4c9ffb5d66f3da7934ab7a78d680e0d7dc9ff84b473

SHA512
748d2a473ee49b3eac1bca2006ca461aec80d2a3cc9a930260a4bc978e81c5026b660a0a266640c5a772d7bdf82de0f58767bc625874ce4c1bda775d7023223a

Download Submit