njrat | 60600f983d15d7313292ae4f84daf1a97fc627bc3f70f5b854004fda492cdc7f

Analysis

max time kernel
10s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2025, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C0D3X17-NUKER.exe
Size

37.5MB
MD5

1723589503194e30504ab703f55b70fd
SHA1

1a74dcf5d737dd91bdeee28859c5d44506be9b16
SHA256

60600f983d15d7313292ae4f84daf1a97fc627bc3f70f5b854004fda492cdc7f
SHA512

7f457e68ab252a22c209c261ad5a97c2b3770fe73fbee1463aeb4d94b8f779344ae99ac019cdc099feda1441256d134674e236744799f9ec7dc065ed1637db93
SSDEEP

786432:t8zERMQ/lE2eFCvSuaPHY3hep5lbvMycOsujlVT2r9jgD/TeoL:2zERMQt7eYRebNrcOhfmj3u

Score

10^/10

njrat xworm 2025 host defense_evasion discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

1VeDwfujGeaxOsgJ

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

2025 HOST

microsoft-365-updater.duckdns.org:5552

Mutex

5b4af3576e30808651ae14fbef1ee719

Attributes

reg_key
5b4af3576e30808651ae14fbef1ee719
splitter
|'|'|

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023af8-7.dat	family_xworm
behavioral2/memory/1064-15-0x0000000000600000-0x000000000060E000-memory.dmp	family_xworm

Njrat family
njrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1768	powershell.exe
3600	powershell.exe
1956	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2488	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	C0D3X17-NUKER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	system.dll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	host.exe

Executes dropped EXE 6 IoCs

pid	Process
1064	rundl32.exe
468	Stable_Network.exe
924	host.exe
1356	system.dll.exe
3700	CL_Debug_Log.txt
1712	GameSDK.exe

Loads dropped DLL 1 IoCs

pid	Process
1356	system.dll.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
26	discord.com
35	discord.com
13	raw.githubusercontent.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
3552	cmd.exe
3256	cmd.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000b000000023b48-21.dat	autoit_exe
behavioral2/files/0x000b000000023ab4-192.dat	autoit_exe
behavioral2/files/0x000b000000023ab3-217.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\YgQOh7Vb3L.txt	system.dll.exe
File opened for modification	C:\Windows\System32\YgQOh7Vb3L.txt	system.dll.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3380	tasklist.exe
4552	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL_Debug_Log.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameSDK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C0D3X17-NUKER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stable_Network.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\ZOHHKDLF\root\CIMV2	Stable_Network.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1768	powershell.exe
1768	powershell.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	rundl32.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeRestorePrivilege	3700	CL_Debug_Log.txt
Token: 35	3700	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3700	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3700	CL_Debug_Log.txt
Token: SeDebugPrivilege	3380	tasklist.exe
Token: SeDebugPrivilege	4552	tasklist.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
468	Stable_Network.exe
468	Stable_Network.exe
468	Stable_Network.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1064	1600	C0D3X17-NUKER.exe	86
PID 1600 wrote to memory of 1064	1600	C0D3X17-NUKER.exe	86
PID 1600 wrote to memory of 468	1600	C0D3X17-NUKER.exe	87
PID 1600 wrote to memory of 468	1600	C0D3X17-NUKER.exe	87
PID 1600 wrote to memory of 468	1600	C0D3X17-NUKER.exe	87
PID 1600 wrote to memory of 924	1600	C0D3X17-NUKER.exe	88
PID 1600 wrote to memory of 924	1600	C0D3X17-NUKER.exe	88
PID 1600 wrote to memory of 924	1600	C0D3X17-NUKER.exe	88
PID 1600 wrote to memory of 1356	1600	C0D3X17-NUKER.exe	89
PID 1600 wrote to memory of 1356	1600	C0D3X17-NUKER.exe	89
PID 1356 wrote to memory of 4952	1356	system.dll.exe	92
PID 1356 wrote to memory of 4952	1356	system.dll.exe	92
PID 4952 wrote to memory of 1768	4952	cmd.exe	93
PID 4952 wrote to memory of 1768	4952	cmd.exe	93
PID 1768 wrote to memory of 3732	1768	powershell.exe	95
PID 1768 wrote to memory of 3732	1768	powershell.exe	95
PID 3732 wrote to memory of 1244	3732	csc.exe	96
PID 3732 wrote to memory of 1244	3732	csc.exe	96
PID 468 wrote to memory of 3700	468	Stable_Network.exe	99
PID 468 wrote to memory of 3700	468	Stable_Network.exe	99
PID 468 wrote to memory of 3700	468	Stable_Network.exe	99
PID 1356 wrote to memory of 3928	1356	system.dll.exe	101
PID 1356 wrote to memory of 3928	1356	system.dll.exe	101
PID 3928 wrote to memory of 3380	3928	cmd.exe	102
PID 3928 wrote to memory of 3380	3928	cmd.exe	102
PID 924 wrote to memory of 1712	924	host.exe	103
PID 924 wrote to memory of 1712	924	host.exe	103
PID 924 wrote to memory of 1712	924	host.exe	103
PID 1356 wrote to memory of 216	1356	system.dll.exe	104
PID 1356 wrote to memory of 216	1356	system.dll.exe	104
PID 1356 wrote to memory of 3552	1356	system.dll.exe	105
PID 1356 wrote to memory of 3552	1356	system.dll.exe	105
PID 216 wrote to memory of 4552	216	cmd.exe	106
PID 216 wrote to memory of 4552	216	cmd.exe	106
PID 3552 wrote to memory of 1176	3552	cmd.exe	107
PID 3552 wrote to memory of 1176	3552	cmd.exe	107
PID 468 wrote to memory of 2640	468	Stable_Network.exe	108
PID 468 wrote to memory of 2640	468	Stable_Network.exe	108
PID 468 wrote to memory of 2640	468	Stable_Network.exe	108
PID 2640 wrote to memory of 2856	2640	cmd.exe	110
PID 2640 wrote to memory of 2856	2640	cmd.exe	110
PID 2640 wrote to memory of 2856	2640	cmd.exe	110
PID 1356 wrote to memory of 3256	1356	system.dll.exe	111
PID 1356 wrote to memory of 3256	1356	system.dll.exe	111
PID 3256 wrote to memory of 3904	3256	cmd.exe	112
PID 3256 wrote to memory of 3904	3256	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\C0D3X17-NUKER.exe
"C:\Users\Admin\AppData\Local\Temp\C0D3X17-NUKER.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Roaming\rundl32.exe
  "C:\Users\Admin\AppData\Roaming\rundl32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Users\Admin\AppData\Roaming\Stable_Network.exe
  "C:\Users\Admin\AppData\Roaming\Stable_Network.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2856
- C:\Users\Admin\AppData\Local\Temp\host.exe
  "C:\Users\Admin\AppData\Local\Temp\host.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\ProgramData\GameSDK.exe
    "C:\ProgramData\GameSDK.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1712
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\ProgramData\GameSDK.exe" "GameSDK.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2488
- C:\Users\Admin\AppData\Local\Temp\system.dll.exe
  "C:\Users\Admin\AppData\Local\Temp\system.dll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\Kc2rwSo0Mx.ps1""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\Kc2rwSo0Mx.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lgblvoi2\lgblvoi2.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE4A.tmp" "c:\Users\Admin\AppData\Local\Temp\lgblvoi2\CSC76B8E6AC6C5D4A438C46F4177CC8E93.TMP"
        6⤵
        
        PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,126,188,101,126,173,55,125,69,187,206,148,8,22,71,26,156,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,249,110,24,42,201,178,62,243,145,121,209,141,100,100,214,7,60,180,58,197,77,21,102,46,161,67,252,215,74,134,5,192,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,20,40,254,85,96,227,2,227,206,44,117,219,251,36,131,253,138,107,18,145,216,66,224,180,210,91,129,96,26,73,138,120,48,0,0,0,76,252,114,249,156,32,178,157,98,166,84,53,183,199,106,5,144,153,101,222,143,97,61,37,206,192,24,114,216,239,135,90,163,74,103,192,46,232,44,234,31,185,165,253,16,186,220,208,64,0,0,0,43,218,241,198,28,227,110,76,28,95,26,55,56,14,60,184,110,252,21,124,199,70,111,22,159,74,37,140,155,177,244,138,225,235,53,243,217,134,10,141,214,205,158,226,115,17,203,11,57,82,86,91,61,6,126,163,132,199,235,171,75,54,214,158), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,126,188,101,126,173,55,125,69,187,206,148,8,22,71,26,156,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,249,110,24,42,201,178,62,243,145,121,209,141,100,100,214,7,60,180,58,197,77,21,102,46,161,67,252,215,74,134,5,192,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,20,40,254,85,96,227,2,227,206,44,117,219,251,36,131,253,138,107,18,145,216,66,224,180,210,91,129,96,26,73,138,120,48,0,0,0,76,252,114,249,156,32,178,157,98,166,84,53,183,199,106,5,144,153,101,222,143,97,61,37,206,192,24,114,216,239,135,90,163,74,103,192,46,232,44,234,31,185,165,253,16,186,220,208,64,0,0,0,43,218,241,198,28,227,110,76,28,95,26,55,56,14,60,184,110,252,21,124,199,70,111,22,159,74,37,140,155,177,244,138,225,235,53,243,217,134,10,141,214,205,158,226,115,17,203,11,57,82,86,91,61,6,126,163,132,199,235,171,75,54,214,158), $null, 'CurrentUser')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,126,188,101,126,173,55,125,69,187,206,148,8,22,71,26,156,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,153,168,219,107,115,18,156,192,66,252,137,228,147,151,104,23,32,126,244,136,243,136,75,188,183,123,98,113,48,198,76,104,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,142,236,223,172,2,40,123,240,2,183,14,34,153,119,248,131,216,223,242,182,52,110,22,175,143,206,74,50,228,150,134,131,48,0,0,0,13,153,147,197,6,93,64,178,155,199,67,194,144,54,112,236,131,163,209,205,6,124,56,101,53,122,131,190,210,5,172,76,205,240,147,64,197,89,18,236,112,41,174,11,51,70,55,159,64,0,0,0,160,186,148,206,137,187,1,93,224,157,181,126,139,169,91,176,48,126,227,176,183,223,238,103,94,205,169,146,173,193,125,243,203,107,85,32,41,4,217,211,51,70,255,200,8,100,132,97,244,38,143,9,76,186,105,120,137,116,185,81,18,195,165,106), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,126,188,101,126,173,55,125,69,187,206,148,8,22,71,26,156,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,153,168,219,107,115,18,156,192,66,252,137,228,147,151,104,23,32,126,244,136,243,136,75,188,183,123,98,113,48,198,76,104,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,142,236,223,172,2,40,123,240,2,183,14,34,153,119,248,131,216,223,242,182,52,110,22,175,143,206,74,50,228,150,134,131,48,0,0,0,13,153,147,197,6,93,64,178,155,199,67,194,144,54,112,236,131,163,209,205,6,124,56,101,53,122,131,190,210,5,172,76,205,240,147,64,197,89,18,236,112,41,174,11,51,70,55,159,64,0,0,0,160,186,148,206,137,187,1,93,224,157,181,126,139,169,91,176,48,126,227,176,183,223,238,103,94,205,169,146,173,193,125,243,203,107,85,32,41,4,217,211,51,70,255,200,8,100,132,97,244,38,143,9,76,186,105,120,137,116,185,81,18,195,165,106), $null, 'CurrentUser')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    PID:3004
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    PID:3872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v system.dll /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
    3⤵
    PID:1828
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v system.dll /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
      4⤵
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.JiXGsSxv2d""
    3⤵
    PID:1736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.JiXGsSxv2d"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
    3⤵
    PID:3920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:1228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
    3⤵
    PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:3704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
    3⤵
    PID:5004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
    3⤵
    PID:2200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:3184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
    3⤵
    PID:3460
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
    3⤵
    PID:2268
  - - C:\Windows\system32\getmac.exe
      getmac /NH
      4⤵
      PID:3812
- - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
    C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    PID:2504
  - - C:\Windows\Temp\{5615890C-A11B-4996-92B3-3DC9433BD916}\.cr\python-installer.exe
      "C:\Windows\Temp\{5615890C-A11B-4996-92B3-3DC9433BD916}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=536 -burn.filehandle.self=532 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      PID:900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580e75.rbs

Filesize
8KB

MD5
30ebdf8349624cffc658fb64103056c0

SHA1
d14d2a82992a29ac2a5a47c682954c85ab090def

SHA256
4b288d178587911cad8ca2b308bc8b84e69d36959cb4a525c84fd9b91f40da56

SHA512
43d62554d89aca9a7dd412e0cc2ad629229cd54aec59634b9fb49df3855ab0181de8a200a35882ff379673da728c526166ba60624e1e5cfa8726c23b97f82d3e

Download Submit
C:\Config.Msi\e580e7a.rbs

Filesize
12KB

MD5
f282bd718e8a731696112e8b5b58fccb

SHA1
1196a7c5615277bd3f3aa86690207adaac9f590f

SHA256
1835caed506a0a3eb426400782bc5a0b4e51954eaca37f027fb04ef1bedb370c

SHA512
86c914efe3d47e6333f69cfed8308a28476566afd638fe9754338fd5684467f957e0c0d8556480d918e574cef612e9e234ceacf4181c72a5272df6f185d5b28c

Download Submit
C:\Config.Msi\e580e7f.rbs

Filesize
50KB

MD5
eba334d3e6b6a8dde907e8ed0d862d2b

SHA1
9374265e6d292d0d07e24f742c1a3e20560080ff

SHA256
7d6c94a349c7821401a0d27f6bc23bd437e43b0b463793ea159360cb47484c3f

SHA512
a4a10f72bb40a9999767ca10e5f6d9ab90888bb1acca59f943a9e48b940ffd546f4b08703aeab7e067c3e768f9c723480103995e3e30d6affe89dc3e1deb57f8

Download Submit
C:\Config.Msi\e580e84.rbs

Filesize
138KB

MD5
cd771ce684e3e5c2a728687bbb9d3a3d

SHA1
fd7f4a66cc83b61b31775f6de6bcc4d8d32c0bb3

SHA256
59ab98dba9cc3ad510cd83460abab1f160b261d7c81a8ff8798ca331feb7b949

SHA512
754104e67127ac620a8401b6cdddabbd03e6608faa45ab4c290d684825525bf69a4c25e81db137a600d4727ff0e9400e9d9a8553b6b2ef414d3b10c4748403e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d640f4a1c6c16550ff339d07f8b0f1c

SHA1
5d70972293a63a7d835d5cc6cc79341df2aa0d9d

SHA256
4bec0d2f26b110e989d480ad676d05c0a47191758dce1e9328881bb67b931f8a

SHA512
ffa5f0ff9b580e99b757a19dd38a771da61dbe3cf72e4d05a45393240acaab97f982661cc195ad98e48504ae6259fb87a4142907eb7051ffeb2637df5b3857e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f79387492e5d2264cb94e2f480feaf78

SHA1
13f478f478bf824d8cccb611ac9b2645d5523c93

SHA256
f7d942ea9e79af246b7a4e461133ed9434f980e837a8b96f1e35f856ddead9e7

SHA512
c1a16d6c0edeba6659f08ae115b4ed5c496063d9e4339ff0869a85295798fb66281dba43b6de8118bda69db0d34a65966f84c522b9adcf94581934438c015479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db8affa3bdb5ee92df09c4bf1ed80c87

SHA1
1bc9d7ce26b46b84bb1859d1a27caef04ed66973

SHA256
9a18a956a3806936547fdec168ca5c44c831d360854eccf7cde6c4bf23c16b2e

SHA512
4dbca2126f6d59d6d96db0437f895d17f6f93886cecc17954eed60d64ffae5b46531b0c75b4d3f4c7f462d7ef67477bd1857590976f1f9fcc122ec6ef4476b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba43f1191bec67da653cf2afd68dd4a6

SHA1
af476a702ccf2c11c5d3eadf8078ab7ceb003264

SHA256
28150b36807c0122ac243c4bb541c42da9fd8824511420473b26d3c96dc7f3b9

SHA512
fe05f1bce17d09a9a32975519b44c9be69412e0491bd86f658adf0ad8eb7371ad9c8bde0831831353273a62d5222ca1665dbbbd823e7c7e738abd0f3d9dc570d

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.1MB

MD5
f6ddadd0d817ce569e202e57863ae919

SHA1
3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2

SHA256
63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1

SHA512
7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
fd7e13f2c36fe528afc7a05892b34695

SHA1
14a9c4dfd12e1f9b1e64e110166500be1ef0abb1

SHA256
2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0

SHA512
7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}v3.12.6150.0\dev.msi

Filesize
384KB

MD5
dc49359c176d731fef03fc51ed13c959

SHA1
3d9348460f2300faeefe1e1e3787c55e71ff0aad

SHA256
04f38bdd910eabe114dde5e321cdcbf831c6373da9d27d791b96e09cd96f5417

SHA512
5044e4b30919e0d30502162539069014fcf2a4061f9a75a1956202231d98eba985fa7234694f70fae7d3defde2f9f41e97e821e74bda66107a9f452002768793

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{537B2AF5-504B-4303-99CB-FDE56F47AA51}v3.12.6150.0\exe.msi

Filesize
724KB

MD5
2db9e147e0fd938c6d3c1e7cf6942496

SHA1
e4333f4334b5df6f88958e03ad18b54e64a1331f

SHA256
9f3fc998d3ef429818a8047a43aad89f2d88c190385ba5ac57124132acda9eab

SHA512
4b9cbbf2d26cab8be365671d91c7f95216e90a9de30b87224228d1ab5db64a888fbf0b552d259dc5552d2da28451a394c227da312c73807a9c69fe6edfa3cbc8

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

Filesize
1.9MB

MD5
d4c1f834f30032f220409a17e0f688cd

SHA1
61dc90b164c3797456a8ed775b353a087054fd0f

SHA256
675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12

SHA512
b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
f71859e5750415fb32eb045e58635cae

SHA1
fa70d2a35caeb0c12214775cad8cdd8ff0583b59

SHA256
8d668f74825fd8cf5809d9c63e36084bd04d672585fb1f5cdda429e052b8488e

SHA512
423bc36ec4d2b811aa54685a70d5b9daad21d31e95759b1437b7b1966bcdd05d322a76c4288dc647b35bd4b1f6acc0c692fa4ba365715e55671da4edef65df1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
4f19535079b64da77ce91d429cfbcfdc

SHA1
68b4d4679024111b246c45328db9478f3a67a709

SHA256
fc02c6319cc5b32536a4b1773a5aba82c213fed6de3249d117b2c8ffe5c82b58

SHA512
fcea894e6a00384c4af0d5abd8143a72b122c6e3052b602ee4a150c89b538e4ac5f76dcbc01770548dba6ef67dd13420450d368bfb42ddcf4fd11995181382dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
053bd8fa3b586bd5b8ee60970c6cae44

SHA1
ada9b5270e7025a5438bc0066f68286243db15c7

SHA256
e0e342cd6302970770d542d516a02a445c13f1f6a77799342ced658ca4e3f8ad

SHA512
0bc717c9bc09ee019662ee3cee795ad5510981d36ca706872f776385b4b98826768c5a5136e592e997383690a0d1634d72d4462a05120550a6e5a3295e5a587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kc2rwSo0Mx.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250205050317_000_core_JustForMe.log

Filesize
1KB

MD5
e89e751bc9804e8ecc39e2077ab2e60f

SHA1
351a299c3f171b055fa45d219f02d7fde7e6db5f

SHA256
0de291f8d835847f1c0a26d5978433d61127050addd0b77e7feff90c1ed285e8

SHA512
5be8d1372358c06874b3d60550c587624642a1a8e6ef2e5dbb26349711aa8abebb2989ab601b40a22b3ac6e1b973e7fa59d40a4d8b5f5c7a112b7308c17698ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250205050317_001_exe_JustForMe.log

Filesize
3KB

MD5
2c2c04334f0f2c164e0e59fef41d76a1

SHA1
279a666ecdfa7534b5a79237cdecde47b29d2716

SHA256
ac9bd6b57aa409b8d4126ff76a6db7db07c3b8db7b57e27f3636fc3810eee5a8

SHA512
9060c7aaadf7ee50332e065f4029de41fbe15d6c5147214be58620ea6d36d99d49d3500e5f68cc713364088b228b8a1fe1a3fcc8c7f6b282f58f653d601faece

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250205050317_002_dev_JustForMe.log

Filesize
3KB

MD5
1c56f9d94429687af1e373602ef74c79

SHA1
2918dcd5a5fc8e2400364b27ac058af2b3167b6b

SHA256
2eb072ce505b2378f38081f7fac6b903a91adee2a090c608bae484027257d49e

SHA512
8bd089022de971249c1e976c81c622728730a6a4cf9e1c79b04da667a1959bced71aba7d251d7f4a7977f4d2d4549f2aadc911c84c5f0a27c5685d43e6d451bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250205050317_003_lib_JustForMe.log

Filesize
1KB

MD5
d175e9703f764a32fef43f8ccc6c759f

SHA1
8708827ff1c24189ac801dfc733de19bec9a00bf

SHA256
2942f7682a9541dfe142e93094f295c1e2cc028a68b403a8e7e76f130e5010f5

SHA512
e5bf580b076300263ce49ff07ee2c41385334ec5f5d34ff0059208a2b1fefc96dc7b59646c61edb9f3758f886dd04ef73175808d362df6561dd0babbaa32b349

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20250205050317_004_tcltk_JustForMe.log

Filesize
3KB

MD5
b22d6b18d129f4d7e8b8d3338e472677

SHA1
56830fcd9d989f097af18d095d53579a9b57b451

SHA256
d8758c37dc27e2dcfb3f2d1ecbf1e099aae765d08c437e881c4a2f97c88dc5e2

SHA512
8a59fcbd901b6f4eaaa34dbd41f4f985b1f571763f04dacf347338110222dc9f061fd5eab18445bd21f820f5425fca3b6e21f0c675d72e2d7197f70f934268bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE4A.tmp

Filesize
1KB

MD5
1feb3205f4f4708e5909d6f4715a620c

SHA1
7edb4732d960fcf5828d0300c2b67ee550817938

SHA256
b3069bc089c893a482402b679562b030351ffa36b65adaa74ac930fcfd598f8b

SHA512
0505a726a02b50d52cb59552f12b93de97542db03d7762b4695b9312ca684db2e652d9b04de9974484a299499a2ee6b892d944081b541b0dcc9f978347f72f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
46f2f154060d639b1f5f1ceb47ba9574

SHA1
6bdee2c266f48415b9d580801fea16a9d43faa25

SHA256
a08b36bde4948ac2878d5aaaad2e2cacf0ed2b1fde097b9c6ae2d777843b1d4f

SHA512
752e3042d9e3b50748d4075aca84ab61a975dad6be1d5c1ef6d807e8933048e75221ea0babf935b1aee778bad3f51374ca3984418cb4587d5f2e1de45b07f7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4p1mclk1.gsu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\autCD23.tmp

Filesize
14.6MB

MD5
5aa219d1ea73f71f39e2b4cf09f84787

SHA1
66c996348e41aa32686d5eb9389dfc4dcbdf6acb

SHA256
48e152a15e74d7d397fe6f51a9b183091352930e695b56d3a0d3ee80197664b0

SHA512
77426e81f92479c930d221c4e6c5397027b2f1036895eb42a374674cd73d7ed8c1df59ec7adbdbff2ce67c15a8ded2f59db9349804df59921daab15cd1bbbe72

Download Submit
C:\Users\Admin\AppData\Local\Temp\host.exe

Filesize
22KB

MD5
1b6c329b64a9d5a8b37db35c6ab08d81

SHA1
9d233019f811dc56810102889838e5087a1f18b1

SHA256
4cc11297a2bd2f4d4cbbb8ed3123e46db325a0808a29499897c34e3e49d392f9

SHA512
df80242f2e33269c6cbdfef39460fcfb3f5b44c1f7463c8c897813c9ad2f828769e486469e948dbcd6378791c2917ac8f39cabb38a797207cc55e4cfee794fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgblvoi2\lgblvoi2.dll

Filesize
3KB

MD5
8162305431da6beb57a00643527375f1

SHA1
79b4d4b8034e781bcd267d8cc48d2d59cce55e49

SHA256
4f463a78c335075572e5f42ae19974108f7b1a46c48027ed00f08e3c6988a334

SHA512
1da9968ddcbe56df67dd3d03bbcfa560b6cd2d86c3446239f7aa75cb6dfc7856ab7b83761d94dfbbb9abc4425d0de9a3006feeddb3b7f71a5a6c6dde9395f2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.dll.exe

Filesize
37.2MB

MD5
fe7289489248263aa30870bb95892163

SHA1
c5f853974f90c6f032d7119eae24a811dd4a55af

SHA256
8f41b4f16a02cf70f620b3f9cc8d11eb3d97707eb8d50f418789628ad77c4bf9

SHA512
aebcec7967744dab0f605e349d396a8e397b7e36f9d5f80c38f6caf08f2cf45edb7ab873cfee59082ad7f54bb4b092593c434e1755ec3ca13d8273b734e4c0bc

Download Submit
C:\Users\Admin\AppData\Roaming\Stable_Network.exe

Filesize
15.9MB

MD5
a1a51313f8d07d2eb4ca0123108094e1

SHA1
4024e60d52e4c992596b73cb205ea7b4a1a91ae0

SHA256
8753515f422c81bf9bf921d9857f5f7ee0b3f47573e84129092e095147eebd63

SHA512
3a43cdaae6d988f935f4092d5a9a4eb3cf2f2230d438858a3dc24eec6b050c21c1844f899b60fc69ed3d34b76f2f4057b82e8730f149b0103628af7219392e4d

Download Submit
C:\Users\Admin\AppData\Roaming\rundl32.exe

Filesize
32KB

MD5
c51af2c2a47ba5716ba57939bbe28b5d

SHA1
3e7294cba2e81cec02b5c18db9c8e6b6fdea60a6

SHA256
52055979386ff9f81bceaa8a2a2e2be3f0f78e74097bf34b7c7aa8bd0cd01033

SHA512
0f0e9dcd7eb85820e4be8a19cc471b8599c1b69e2750b528e88e8fd508bd994a382f4fdd10850f74966732c6e46a48ec92c9155c1bb516a2e94de70494ade28a

Download Submit
C:\Windows\Temp\{3FCB0F51-9FA2-4941-A431-FF2EFAF5A114}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{3FCB0F51-9FA2-4941-A431-FF2EFAF5A114}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{3FCB0F51-9FA2-4941-A431-FF2EFAF5A114}\pip_JustForMe

Filesize
268KB

MD5
494f112096b61cb01810df0e419fb93c

SHA1
295c32c8e1654810c4807e42ba2438c8da39756a

SHA256
2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80

SHA512
9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

Download Submit
C:\Windows\Temp\{5615890C-A11B-4996-92B3-3DC9433BD916}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgblvoi2\CSC76B8E6AC6C5D4A438C46F4177CC8E93.TMP

Filesize
652B

MD5
1449d0b366f54e80e424e3f815dac749

SHA1
82dc637cc4d9103fd72b2eb21fbe195bd1983da4

SHA256
64f9d2f7846d364dfd1dfbc45e7bf62d1e1932842ba051f4fe01984be827959c

SHA512
b928064791ba05542e7ab5c3e8da0a7b0df40b8c0f578abf5e2d393c383aefd799c4c78c91a708bb7ce76ebe6489ffd0e32d74a79f1f2ba7818ab808e275d2f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgblvoi2\lgblvoi2.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgblvoi2\lgblvoi2.cmdline

Filesize
369B

MD5
f140f9bb3c7e950d1ffabcacf506b501

SHA1
c48aa3c4e30a152187e674851b14be5669f18280

SHA256
cb0d8a916363cbf73bccd6ad668332d3269d0b063baa134e577baf2c12d1c51b

SHA512
42d55f5c8c09a149b918b066d7ae741e2026c6ecd95f97cbc35a01a500860b7443f1677e3b72f1cd3f296dda1c3a0419036ac2c8472e210772cc02d3aa3ab8d2

Download Submit
memory/1064-16-0x00007FF9946F0000-0x00007FF9951B1000-memory.dmp

Filesize
10.8MB

Download
memory/1064-234-0x00007FF9946F0000-0x00007FF9951B1000-memory.dmp

Filesize
10.8MB

Download
memory/1064-14-0x00007FF9946F3000-0x00007FF9946F5000-memory.dmp

Filesize
8KB

Download
memory/1064-222-0x00007FF9946F3000-0x00007FF9946F5000-memory.dmp

Filesize
8KB

Download
memory/1064-15-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1176-195-0x000001851D0F0000-0x000001851D140000-memory.dmp

Filesize
320KB

Download
memory/1600-53-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1600-0-0x00000000753D2000-0x00000000753D3000-memory.dmp

Filesize
4KB

Download
memory/1600-2-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1600-1-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1768-153-0x0000018714540000-0x0000018714548000-memory.dmp

Filesize
32KB

Download
memory/1768-138-0x0000018714730000-0x0000018714752000-memory.dmp

Filesize
136KB

Download
memory/1768-157-0x000001872CCE0000-0x000001872CEFC000-memory.dmp

Filesize
2.1MB

Download
memory/3904-212-0x000001DD6A280000-0x000001DD6A49C000-memory.dmp

Filesize
2.1MB

Download