njrat | 60600f983d15d7313292ae4f84daf1a97fc627bc3f70f5b854004fda492cdc7f

Analysis

max time kernel
141s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C0D3X17-NUKER.exe
Size

37.5MB
MD5

1723589503194e30504ab703f55b70fd
SHA1

1a74dcf5d737dd91bdeee28859c5d44506be9b16
SHA256

60600f983d15d7313292ae4f84daf1a97fc627bc3f70f5b854004fda492cdc7f
SHA512

7f457e68ab252a22c209c261ad5a97c2b3770fe73fbee1463aeb4d94b8f779344ae99ac019cdc099feda1441256d134674e236744799f9ec7dc065ed1637db93
SSDEEP

786432:t8zERMQ/lE2eFCvSuaPHY3hep5lbvMycOsujlVT2r9jgD/TeoL:2zERMQt7eYRebNrcOhfmj3u

Score

10^/10

njrat xworm 2025 host defense_evasion discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

1VeDwfujGeaxOsgJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

2025 HOST

microsoft-365-updater.duckdns.org:5552

Mutex

5b4af3576e30808651ae14fbef1ee719

Attributes

reg_key
5b4af3576e30808651ae14fbef1ee719
splitter
|'|'|

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012266-5.dat	family_xworm
behavioral1/memory/2184-10-0x0000000000830000-0x000000000083E000-memory.dmp	family_xworm

Njrat family
njrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2352	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5b4af3576e30808651ae14fbef1ee719.exe	GameSDK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5b4af3576e30808651ae14fbef1ee719.exe	GameSDK.exe

Executes dropped EXE 16 IoCs

pid	Process
2184	rundl32.exe
2932	host.exe
2144	Stable_Network.exe
2972	system.dll.exe
2584	GameSDK.exe
2612	CL_Debug_Log.txt
1588	Antimalware Service Executable.exe
1624	Antimalware Service Executable.exe
2312	Antimalware Service Executable.exe
2460	Antimalware Service Executable.exe
2836	tor.exe
1260	Antimalware Service Executable.exe
2580	Antimalware Service Executable.exe
1052	Antimalware Service Executable.exe
1764	Antimalware Service Executable.exe
2972	Antimalware Service Executable.exe

Loads dropped DLL 20 IoCs

pid	Process
2044	C0D3X17-NUKER.exe
2044	C0D3X17-NUKER.exe
2044	C0D3X17-NUKER.exe
2044	C0D3X17-NUKER.exe
2044	C0D3X17-NUKER.exe
2884	Process not Found
2932	host.exe
2932	host.exe
2144	Stable_Network.exe
1572	taskeng.exe
2856	Process not Found
2312	Antimalware Service Executable.exe
2312	Antimalware Service Executable.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
1880	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\5b4af3576e30808651ae14fbef1ee719 = "\"C:\\ProgramData\\GameSDK.exe\" .."	GameSDK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5b4af3576e30808651ae14fbef1ee719 = "\"C:\\ProgramData\\GameSDK.exe\" .."	GameSDK.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
66	raw.githubusercontent.com
81	raw.githubusercontent.com
141	raw.githubusercontent.com
151	raw.githubusercontent.com
178	raw.githubusercontent.com
77	raw.githubusercontent.com
94	raw.githubusercontent.com
165	raw.githubusercontent.com
196	raw.githubusercontent.com
90	raw.githubusercontent.com
150	raw.githubusercontent.com
183	raw.githubusercontent.com
89	raw.githubusercontent.com
110	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com
72	raw.githubusercontent.com
112	raw.githubusercontent.com
121	raw.githubusercontent.com
128	raw.githubusercontent.com
146	raw.githubusercontent.com
9	raw.githubusercontent.com
42	raw.githubusercontent.com
59	raw.githubusercontent.com
78	raw.githubusercontent.com
85	raw.githubusercontent.com
111	raw.githubusercontent.com
124	raw.githubusercontent.com
159	raw.githubusercontent.com
36	raw.githubusercontent.com
52	raw.githubusercontent.com
73	raw.githubusercontent.com
170	raw.githubusercontent.com
171	raw.githubusercontent.com
194	raw.githubusercontent.com
46	raw.githubusercontent.com
63	raw.githubusercontent.com
74	raw.githubusercontent.com
84	raw.githubusercontent.com
106	raw.githubusercontent.com
154	raw.githubusercontent.com
10	raw.githubusercontent.com
35	raw.githubusercontent.com
79	raw.githubusercontent.com
147	raw.githubusercontent.com
40	raw.githubusercontent.com
48	raw.githubusercontent.com
50	raw.githubusercontent.com
86	raw.githubusercontent.com
105	raw.githubusercontent.com
107	raw.githubusercontent.com
201	raw.githubusercontent.com
39	raw.githubusercontent.com
136	raw.githubusercontent.com
69	raw.githubusercontent.com
163	raw.githubusercontent.com
186	raw.githubusercontent.com
188	raw.githubusercontent.com
34	raw.githubusercontent.com
43	raw.githubusercontent.com
109	raw.githubusercontent.com
57	raw.githubusercontent.com
61	raw.githubusercontent.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000b000000016cab-13.dat	autoit_exe
behavioral1/files/0x001200000001957c-437.dat	autoit_exe
behavioral1/files/0x0019000000019515-531.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2312 set thread context of 2460	2312	Antimalware Service Executable.exe	48
PID 2312 set thread context of 2972	2312	Antimalware Service Executable.exe	57

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameSDK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL_Debug_Log.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C0D3X17-NUKER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stable_Network.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\BCXRJFKE\root\CIMV2	Stable_Network.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\BCXRJFKE\root\CIMV2	Antimalware Service Executable.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	rundl32.exe
Token: SeRestorePrivilege	2612	CL_Debug_Log.txt
Token: 35	2612	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2612	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2612	CL_Debug_Log.txt
Token: SeDebugPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: SeRestorePrivilege	2460	Antimalware Service Executable.exe
Token: 35	2460	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	2460	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	2460	Antimalware Service Executable.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: 33	2584	GameSDK.exe
Token: SeIncBasePriorityPrivilege	2584	GameSDK.exe
Token: SeRestorePrivilege	2972	Antimalware Service Executable.exe
Token: 35	2972	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	2972	Antimalware Service Executable.exe
Token: SeSecurityPrivilege	2972	Antimalware Service Executable.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
1624	Antimalware Service Executable.exe
1624	Antimalware Service Executable.exe
1624	Antimalware Service Executable.exe
1588	Antimalware Service Executable.exe
1588	Antimalware Service Executable.exe
1588	Antimalware Service Executable.exe
2312	Antimalware Service Executable.exe
2312	Antimalware Service Executable.exe
2312	Antimalware Service Executable.exe
1260	Antimalware Service Executable.exe
1260	Antimalware Service Executable.exe
1260	Antimalware Service Executable.exe
1052	Antimalware Service Executable.exe
1052	Antimalware Service Executable.exe
1052	Antimalware Service Executable.exe
2580	Antimalware Service Executable.exe
2580	Antimalware Service Executable.exe
2580	Antimalware Service Executable.exe
1764	Antimalware Service Executable.exe
1764	Antimalware Service Executable.exe
1764	Antimalware Service Executable.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2144	Stable_Network.exe
2144	Stable_Network.exe
2144	Stable_Network.exe
1624	Antimalware Service Executable.exe
1624	Antimalware Service Executable.exe
1624	Antimalware Service Executable.exe
1588	Antimalware Service Executable.exe
1588	Antimalware Service Executable.exe
1588	Antimalware Service Executable.exe
2312	Antimalware Service Executable.exe
2312	Antimalware Service Executable.exe
2312	Antimalware Service Executable.exe
1260	Antimalware Service Executable.exe
1260	Antimalware Service Executable.exe
1260	Antimalware Service Executable.exe
1052	Antimalware Service Executable.exe
1052	Antimalware Service Executable.exe
1052	Antimalware Service Executable.exe
2580	Antimalware Service Executable.exe
2580	Antimalware Service Executable.exe
2580	Antimalware Service Executable.exe
1764	Antimalware Service Executable.exe
1764	Antimalware Service Executable.exe
1764	Antimalware Service Executable.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2184	2044	C0D3X17-NUKER.exe	30
PID 2044 wrote to memory of 2184	2044	C0D3X17-NUKER.exe	30
PID 2044 wrote to memory of 2184	2044	C0D3X17-NUKER.exe	30
PID 2044 wrote to memory of 2184	2044	C0D3X17-NUKER.exe	30
PID 2044 wrote to memory of 2144	2044	C0D3X17-NUKER.exe	31
PID 2044 wrote to memory of 2144	2044	C0D3X17-NUKER.exe	31
PID 2044 wrote to memory of 2144	2044	C0D3X17-NUKER.exe	31
PID 2044 wrote to memory of 2144	2044	C0D3X17-NUKER.exe	31
PID 2044 wrote to memory of 2932	2044	C0D3X17-NUKER.exe	32
PID 2044 wrote to memory of 2932	2044	C0D3X17-NUKER.exe	32
PID 2044 wrote to memory of 2932	2044	C0D3X17-NUKER.exe	32
PID 2044 wrote to memory of 2932	2044	C0D3X17-NUKER.exe	32
PID 2044 wrote to memory of 2972	2044	C0D3X17-NUKER.exe	33
PID 2044 wrote to memory of 2972	2044	C0D3X17-NUKER.exe	33
PID 2044 wrote to memory of 2972	2044	C0D3X17-NUKER.exe	33
PID 2044 wrote to memory of 2972	2044	C0D3X17-NUKER.exe	33
PID 2932 wrote to memory of 2584	2932	host.exe	36
PID 2932 wrote to memory of 2584	2932	host.exe	36
PID 2932 wrote to memory of 2584	2932	host.exe	36
PID 2932 wrote to memory of 2584	2932	host.exe	36
PID 2144 wrote to memory of 2612	2144	Stable_Network.exe	37
PID 2144 wrote to memory of 2612	2144	Stable_Network.exe	37
PID 2144 wrote to memory of 2612	2144	Stable_Network.exe	37
PID 2144 wrote to memory of 2612	2144	Stable_Network.exe	37
PID 2584 wrote to memory of 2352	2584	GameSDK.exe	39
PID 2584 wrote to memory of 2352	2584	GameSDK.exe	39
PID 2584 wrote to memory of 2352	2584	GameSDK.exe	39
PID 2584 wrote to memory of 2352	2584	GameSDK.exe	39
PID 2144 wrote to memory of 2404	2144	Stable_Network.exe	41
PID 2144 wrote to memory of 2404	2144	Stable_Network.exe	41
PID 2144 wrote to memory of 2404	2144	Stable_Network.exe	41
PID 2144 wrote to memory of 2404	2144	Stable_Network.exe	41
PID 2404 wrote to memory of 2064	2404	cmd.exe	43
PID 2404 wrote to memory of 2064	2404	cmd.exe	43
PID 2404 wrote to memory of 2064	2404	cmd.exe	43
PID 2404 wrote to memory of 2064	2404	cmd.exe	43
PID 1572 wrote to memory of 1588	1572	taskeng.exe	45
PID 1572 wrote to memory of 1588	1572	taskeng.exe	45
PID 1572 wrote to memory of 1588	1572	taskeng.exe	45
PID 1572 wrote to memory of 1624	1572	taskeng.exe	46
PID 1572 wrote to memory of 1624	1572	taskeng.exe	46
PID 1572 wrote to memory of 1624	1572	taskeng.exe	46
PID 1624 wrote to memory of 2312	1624	Antimalware Service Executable.exe	47
PID 1624 wrote to memory of 2312	1624	Antimalware Service Executable.exe	47
PID 1624 wrote to memory of 2312	1624	Antimalware Service Executable.exe	47
PID 2312 wrote to memory of 2460	2312	Antimalware Service Executable.exe	48
PID 2312 wrote to memory of 2460	2312	Antimalware Service Executable.exe	48
PID 2312 wrote to memory of 2460	2312	Antimalware Service Executable.exe	48
PID 2312 wrote to memory of 2460	2312	Antimalware Service Executable.exe	48
PID 2312 wrote to memory of 2460	2312	Antimalware Service Executable.exe	48
PID 2312 wrote to memory of 2836	2312	Antimalware Service Executable.exe	50
PID 2312 wrote to memory of 2836	2312	Antimalware Service Executable.exe	50
PID 2312 wrote to memory of 2836	2312	Antimalware Service Executable.exe	50
PID 1572 wrote to memory of 1260	1572	taskeng.exe	52
PID 1572 wrote to memory of 1260	1572	taskeng.exe	52
PID 1572 wrote to memory of 1260	1572	taskeng.exe	52
PID 1572 wrote to memory of 2580	1572	taskeng.exe	53
PID 1572 wrote to memory of 2580	1572	taskeng.exe	53
PID 1572 wrote to memory of 2580	1572	taskeng.exe	53
PID 1260 wrote to memory of 1052	1260	Antimalware Service Executable.exe	54
PID 1260 wrote to memory of 1052	1260	Antimalware Service Executable.exe	54
PID 1260 wrote to memory of 1052	1260	Antimalware Service Executable.exe	54
PID 2580 wrote to memory of 1764	2580	Antimalware Service Executable.exe	56
PID 2580 wrote to memory of 1764	2580	Antimalware Service Executable.exe	56

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\C0D3X17-NUKER.exe
"C:\Users\Admin\AppData\Local\Temp\C0D3X17-NUKER.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Roaming\rundl32.exe
  "C:\Users\Admin\AppData\Roaming\rundl32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Users\Admin\AppData\Roaming\Stable_Network.exe
  "C:\Users\Admin\AppData\Roaming\Stable_Network.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2064
- C:\Users\Admin\AppData\Local\Temp\host.exe
  "C:\Users\Admin\AppData\Local\Temp\host.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\ProgramData\GameSDK.exe
    "C:\ProgramData\GameSDK.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\ProgramData\GameSDK.exe" "GameSDK.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2352
- C:\Users\Admin\AppData\Local\Temp\system.dll.exe
  "C:\Users\Admin\AppData\Local\Temp\system.dll.exe"
  2⤵
  - Executes dropped EXE
  PID:2972

C:\Windows\system32\taskeng.exe
taskeng.exe {5C9548C3-9A2C-4ECD-ABB6-3FDB2BA4FFC8} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1588
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck38142
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2460
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2836
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2972
  - - C:\Windows\System32\attrib.exe
      -o stratum+tcp://pool.supportxmr.com:3333 -u 428jMEBAdSKHQGHrnDMJzK16oJ1irAGkEgLZrhkJjNSxfsHQ8cpLn8QBAQWcpodf7bjFLt1wQHbJ8JNg3Em5EspB1MsE9zY -p x -t 4
      4⤵
      Views/modifies file attributes
      PID:1688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck38142
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1052
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck38142
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59d6e34f367c0ea7df1bd72cc72f2feb

SHA1
52194abca1b1c30bdb9fe38246898255957b7106

SHA256
a8014ccd9427a9eb42677b364439c6880d70634a549355adf27c1c2fbc1ebcee

SHA512
3e62c7a514dcb0cfd0f1fb36f0438cbf4649e65f66d7d2803cba12ff7ae73e64ea1d9e00a8263366a9dcc830b643eaf6f26943da62832bed2614bb9901cb0aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
f71859e5750415fb32eb045e58635cae

SHA1
fa70d2a35caeb0c12214775cad8cdd8ff0583b59

SHA256
8d668f74825fd8cf5809d9c63e36084bd04d672585fb1f5cdda429e052b8488e

SHA512
423bc36ec4d2b811aa54685a70d5b9daad21d31e95759b1437b7b1966bcdd05d322a76c4288dc647b35bd4b1f6acc0c692fa4ba365715e55671da4edef65df1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
4f19535079b64da77ce91d429cfbcfdc

SHA1
68b4d4679024111b246c45328db9478f3a67a709

SHA256
fc02c6319cc5b32536a4b1773a5aba82c213fed6de3249d117b2c8ffe5c82b58

SHA512
fcea894e6a00384c4af0d5abd8143a72b122c6e3052b602ee4a150c89b538e4ac5f76dcbc01770548dba6ef67dd13420450d368bfb42ddcf4fd11995181382dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
053bd8fa3b586bd5b8ee60970c6cae44

SHA1
ada9b5270e7025a5438bc0066f68286243db15c7

SHA256
e0e342cd6302970770d542d516a02a445c13f1f6a77799342ced658ca4e3f8ad

SHA512
0bc717c9bc09ee019662ee3cee795ad5510981d36ca706872f776385b4b98826768c5a5136e592e997383690a0d1634d72d4462a05120550a6e5a3295e5a587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC322.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
46f2f154060d639b1f5f1ceb47ba9574

SHA1
6bdee2c266f48415b9d580801fea16a9d43faa25

SHA256
a08b36bde4948ac2878d5aaaad2e2cacf0ed2b1fde097b9c6ae2d777843b1d4f

SHA512
752e3042d9e3b50748d4075aca84ab61a975dad6be1d5c1ef6d807e8933048e75221ea0babf935b1aee778bad3f51374ca3984418cb4587d5f2e1de45b07f7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC344.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
14.6MB

MD5
5aa219d1ea73f71f39e2b4cf09f84787

SHA1
66c996348e41aa32686d5eb9389dfc4dcbdf6acb

SHA256
48e152a15e74d7d397fe6f51a9b183091352930e695b56d3a0d3ee80197664b0

SHA512
77426e81f92479c930d221c4e6c5397027b2f1036895eb42a374674cd73d7ed8c1df59ec7adbdbff2ce67c15a8ded2f59db9349804df59921daab15cd1bbbe72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.6MB

MD5
21e3778b11e03ced442a1ac73d8949ee

SHA1
9e416a029a3c6e6738cba0d1f69253ca283b73ea

SHA256
03b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76

SHA512
20b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
31KB

MD5
83be17929cfdcdd980df9c1e503a8981

SHA1
a9d1e61e7262b2bc79c382650f719e9ae5dc8781

SHA256
3ad3167bea981c627ee3ebd5fa076c39797f218d7631251a703109e9d1b410b1

SHA512
70d903c37603d4cc127f3e1a34df8f4f0f5205f14b04b0eafe08e5c8f4400a5998dfa4a98615140c3760910303ab65628485d103576fddc58be2450c154228f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Filesize
20KB

MD5
05f3b6fff7f499a5c283a54b92691aae

SHA1
2fe985d1b7ecbe49cd11b9aaa327e56fa562b961

SHA256
62bae30cd099cc15e79d4b5683c0a265177a7e3807fef4bba1d289ba358f2545

SHA512
4f0221e7d924de5e03bf3ec6b80c130fc7495fdb3258e5d112bb4790b77416dcf2465d24ce6fe0657e74e3c965f2c7e1149a94f847174e0459a22102f2bc1782

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.8MB

MD5
bdc17a40189524c79e32b279ab68df94

SHA1
60e7dd38bc6808a6b2fa1270958b7ae0a332eaba

SHA256
26535964b0f447c10f31e7c4dbfe3e84ef9df7fc97038cf225c49fbd12431d72

SHA512
dcb0b1e7289a2cd5e13384c745ae423c89a77efd3eb2e5979a562b69cce0ee4cda9728a94e12ee3eb57da52dcc0e86a58937033d280dcd2ebc61432d8580a0fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
21.4MB

MD5
3fb0a7a18fe0d4c689e84a9472c6a7e0

SHA1
b146ba746d2a86cdb0fb75aa72517aaca0838f5b

SHA256
bf824acb68af5fa21ba00524637ae368e5571a6cc2f514bf1c34cf0767d8f105

SHA512
cd10530681feaecf438482e0577f053ef0154bdf788e4622ee5dfba1e3c9fc2795c9f0cb64ef368e9cbba9de68504d6ae2c6eea0924ec02b13d33bc2af47dd0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
15.8MB

MD5
44dda8541e62ac3f8d885241cd5afaf1

SHA1
412352f8793ca7d38093a89b8b8399ef2c5b9caf

SHA256
72033efaeabdddd3ce7fea3fadcd6bb78a8b8a007ebd8e0f72f92cc84ea83492

SHA512
c5f5d41c9871648355f57015f01d9d55fc629143b114d32615c15b8d050191e1c494dddeba0d0b102308b0c95a25f3bc62defbf2ec8939bbf43cfe6d29d4f4c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Filesize
3KB

MD5
d8a85c518afeb319deb17883e403a442

SHA1
b8fc9b52424997eea72ad1434cfbdf5835f9862a

SHA256
4ed59df9711325b5bc3530915dd79afe1feb7a09e858109734715d93546982e3

SHA512
6882142718fa05e4f9c3db8799855fc308879b2b7613d903b42ab2786138ef6dc96cefcb7a45df0df65316c1bddb9fcdac85650fa8ce9dceb3273e83eeefa7c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
12de38433d9208b58d49cc6cf7301cfd

SHA1
78ba135cd7e33ac6a8ee5a7919d8f83bcf70f91a

SHA256
e52fd12bbcf7acc6e1e0ba8a20775163732292b2743a79dc4de0b93e337e959d

SHA512
4074ae457c922b3b23be1068be634fae6cdcc559a9165780ff4fbab1b373084d9fa0ec97e0b405c303b354626274db6f7262ec060243cdd056a2b3a1774b5801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
646KB

MD5
c1507e234ff7f11a259d87a57af740be

SHA1
7478ba561c9f478ede650561867ebd2db58da42f

SHA256
d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b

SHA512
64d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
657KB

MD5
7cb2f0f4bba8d16c3200e9ac2a25b7c0

SHA1
63cf39682bf6876f563e1567df3c55fd5939e6ea

SHA256
ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b

SHA512
7a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
ead6d4a87041e13b9041f78be1cb84d1

SHA1
896a336e08a1904537ee5a4a86eb0e885a18e17a

SHA256
b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24

SHA512
34054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
\Users\Admin\AppData\Local\Temp\host.exe

Filesize
22KB

MD5
1b6c329b64a9d5a8b37db35c6ab08d81

SHA1
9d233019f811dc56810102889838e5087a1f18b1

SHA256
4cc11297a2bd2f4d4cbbb8ed3123e46db325a0808a29499897c34e3e49d392f9

SHA512
df80242f2e33269c6cbdfef39460fcfb3f5b44c1f7463c8c897813c9ad2f828769e486469e948dbcd6378791c2917ac8f39cabb38a797207cc55e4cfee794fe7

Download Submit
\Users\Admin\AppData\Local\Temp\system.dll.exe

Filesize
37.2MB

MD5
fe7289489248263aa30870bb95892163

SHA1
c5f853974f90c6f032d7119eae24a811dd4a55af

SHA256
8f41b4f16a02cf70f620b3f9cc8d11eb3d97707eb8d50f418789628ad77c4bf9

SHA512
aebcec7967744dab0f605e349d396a8e397b7e36f9d5f80c38f6caf08f2cf45edb7ab873cfee59082ad7f54bb4b092593c434e1755ec3ca13d8273b734e4c0bc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
\Users\Admin\AppData\Roaming\Stable_Network.exe

Filesize
15.9MB

MD5
a1a51313f8d07d2eb4ca0123108094e1

SHA1
4024e60d52e4c992596b73cb205ea7b4a1a91ae0

SHA256
8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63

SHA512
3a43cdaae6d988f935f4092d5a9a4eb3cf2f2230d438858a3dc24eec6b050c21c1844f899b60fc69ed3d34b76f2f4057b82e8730f149b0103628af7219392e4d

Download Submit
\Users\Admin\AppData\Roaming\rundl32.exe

Filesize
32KB

MD5
c51af2c2a47ba5716ba57939bbe28b5d

SHA1
3e7294cba2e81cec02b5c18db9c8e6b6fdea60a6

SHA256
52055979386ff9f81bceaa8a2a2e2be3f0f78e74097bf34b7c7aa8bd0cd01033

SHA512
0f0e9dcd7eb85820e4be8a19cc471b8599c1b69e2750b528e88e8fd508bd994a382f4fdd10850f74966732c6e46a48ec92c9155c1bb516a2e94de70494ade28a

Download Submit
memory/2044-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

Filesize
4KB

Download
memory/2044-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-47-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-202-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/2184-9-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/2184-10-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/2184-27-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-212-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/2460-3654-0x00000000004F0000-0x0000000000613000-memory.dmp

Filesize
1.1MB

Download
memory/2460-3530-0x00000000004F0000-0x0000000000613000-memory.dmp

Filesize
1.1MB

Download
memory/2460-3532-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download
memory/2460-3533-0x00000000004F0000-0x0000000000613000-memory.dmp

Filesize
1.1MB

Download
memory/2836-6036-0x0000000000F10000-0x0000000001371000-memory.dmp

Filesize
4.4MB

Download
memory/2836-4609-0x0000000071A70000-0x0000000071D5D000-memory.dmp

Filesize
2.9MB

Download
memory/2836-4607-0x0000000073580000-0x00000000735D4000-memory.dmp

Filesize
336KB

Download
memory/2836-8824-0x0000000000F10000-0x0000000001371000-memory.dmp

Filesize
4.4MB

Download
memory/2836-11546-0x0000000000F10000-0x0000000001371000-memory.dmp

Filesize
4.4MB

Download
memory/2836-4608-0x0000000072560000-0x00000000725F8000-memory.dmp

Filesize
608KB

Download
memory/2836-4605-0x0000000000F10000-0x0000000001371000-memory.dmp

Filesize
4.4MB

Download
memory/2836-5324-0x0000000000F10000-0x0000000001371000-memory.dmp

Filesize
4.4MB

Download
memory/2836-4610-0x0000000072480000-0x0000000072553000-memory.dmp

Filesize
844KB

Download
memory/2836-11680-0x0000000000F10000-0x0000000001371000-memory.dmp

Filesize
4.4MB

Download
memory/2836-6837-0x0000000000F10000-0x0000000001371000-memory.dmp

Filesize
4.4MB

Download
memory/2836-4611-0x0000000073550000-0x0000000073573000-memory.dmp

Filesize
140KB

Download
memory/2836-4606-0x00000000735E0000-0x00000000736C3000-memory.dmp

Filesize
908KB

Download
memory/2836-7587-0x0000000000F10000-0x0000000001371000-memory.dmp

Filesize
4.4MB

Download
memory/2972-11611-0x0000000000510000-0x0000000000633000-memory.dmp

Filesize
1.1MB

Download
memory/2972-11580-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2972-11581-0x0000000000510000-0x0000000000633000-memory.dmp

Filesize
1.1MB

Download