Overview

overview

10

Static

static

3

ce681c13d1...75.exe

windows7-x64

10

ce681c13d1...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2025 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce681c13d13cdb9a2e2e5ee042522d32c473033cc80636ef75a74da982c8d275.exe

  • Size

    566KB

  • MD5

    2be09f962ffbee8d412fc375478a0ebd

  • SHA1

    2757c6eb883b692cbc2611d1d02be3ccc2e5e1e7

  • SHA256

    ce681c13d13cdb9a2e2e5ee042522d32c473033cc80636ef75a74da982c8d275

  • SHA512

    1bc701bf3738828290e4b8ea10422585ea649b2f1f1c4df723e37243e1053154db50f24f016142ecb06bab9524fde29eed7e769a67e2c3819b011a06bf0cee1f

  • SSDEEP

    12288:rBk0HioBu3yCeOr0rS6KsXr7ieWCUjyB0aI78IV:rBREyCTr0rFf7aCZB0

Score
10/10
njrathackeddefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

cpanel.hackcrack.io:2222

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce681c13d13cdb9a2e2e5ee042522d32c473033cc80636ef75a74da982c8d275.exe
    "C:\Users\Admin\AppData\Local\Temp\ce681c13d13cdb9a2e2e5ee042522d32c473033cc80636ef75a74da982c8d275.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          PID:2416
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:692
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:436
          • \??\c:\windows\system32\cmstp.exe
            "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\dgypgj2j.inf
            5⤵
              PID:1744
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:336
              • C:\Windows\SYSTEM32\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
                6⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                PID:4556
      • C:\Users\Admin\AppData\Local\Temp\Mullvad.Generator .exe
        "C:\Users\Admin\AppData\Local\Temp\Mullvad.Generator .exe"
        2⤵
        • Executes dropped EXE
        PID:1468
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2972
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2876
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3900
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2936
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2204
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3596
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2880
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
        2⤵
        • Hide Artifacts: Hidden Window
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:828
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1076
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0Q5RjYxRjMtMkU0RS00NzYyLUJEMTYtQzZCNjA2MzRBMEEyfSIgdXNlcmlkPSJ7MENGNTE4NkYtMDk0My00Qzk0LTkyRjQtMzIxMjlGRTdBREIwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzNDNzdBMTMtQkE4Qy00RUE1LUI2OTctMTIzQTNFOEEwOTJBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4MTUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE1MzQzMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTM5NzU1NzYwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:3252

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Window

    1
    T1564.003

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log
      Filesize

      408B

      MD5

      8e1e19a5abcce21f8a12921d6a2eeeee

      SHA1

      b5704368dfd8fc7aeafb15c23b69895e809fe20e

      SHA256

      22cf24d10cc11a9bb23268f18afbc8f3481c27e1feb4cb42ba5c8775e12720e3

      SHA512

      48365f858592d677ef5d0e2948f672234898e47a153eec32592a2e079353702a64e41e1aa59250f05bd690690b9edfb8455dfac90c6695fb7c0b6907a057fe78

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log
      Filesize

      676B

      MD5

      79d206410500f74a6f755f82d514c459

      SHA1

      67782eff101d316ad1eb79ee76dc4095f5994db3

      SHA256

      697be2be7b14b3ef2953b93cc2d380b350c19e2ef41399ab289fe1c8e2281f36

      SHA512

      72848557148090200726fbfa30c008e54067d79e804ef604c78ee4fdc0c77d3da6c60abedb5c05e4943eb768d737873db585619b2559a1b6d1e6b917d216d822

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log
      Filesize

      588B

      MD5

      8e9089cad91c0c44ed582752be2e0ba7

      SHA1

      9f46ad1051543ec908413a8b323fe39d663c82a0

      SHA256

      d607a7cb2f3bc8a26b58212f8ffa0688610bdb7ed0c455913ca8d39b8f17ca38

      SHA512

      8a21f2f3d6c229e17c545f5cc09a0614e54a3d84d2bd62b5ba745d942d898e958e09c0216e0f8fffbbc3453f1e47417369be08237a3eeb4e787b7ba40222b8b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      750e4be22a6fdadd7778a388198a9ee3

      SHA1

      8feb2054d8a3767833dd972535df54f0c3ab6648

      SHA256

      26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

      SHA512

      b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      c10cfa26c677940868333b5d12995fe7

      SHA1

      8bd4f8a130ab061d82aa396e67275e159cdf84d4

      SHA256

      56ef5227bacb05d5422871c60972b5cbc6b3a4a035ce4f7d747470905dbc239a

      SHA512

      1362577adbf32088b4be84dae4007b9688874e4e496a7d2108e11aef065799123b2df7fb88dc04b18837cc1062d4059b042ae8388a4916838792699d96c130f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e907f77659a6601fcc408274894da2e

      SHA1

      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

      SHA256

      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

      SHA512

      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      cadef9abd087803c630df65264a6c81c

      SHA1

      babbf3636c347c8727c35f3eef2ee643dbcc4bd2

      SHA256

      cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

      SHA512

      7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      bd5940f08d0be56e65e5f2aaf47c538e

      SHA1

      d7e31b87866e5e383ab5499da64aba50f03e8443

      SHA256

      2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

      SHA512

      c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d3e9c29fe44e90aae6ed30ccf799ca8

      SHA1

      c7974ef72264bbdf13a2793ccf1aed11bc565dce

      SHA256

      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

      SHA512

      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Mullvad.Generator .exe
      Filesize

      139KB

      MD5

      493fef9d357c578cb3146c1acf56a8db

      SHA1

      0c90022fdf93ec0b1e22069fde670e9dee3007bf

      SHA256

      a5d226affb5dbeee04c728c58b0064efe75fdb695f2f211337c5ed0d322936fc

      SHA512

      f1dabf51172154ec3255d41e35efa8b68c2f846bf500fa9315c744abacfc7dc4be568f41d7b844766b7e49a176184d12d6e0fec70cea396f6f698a96b585b831

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      Filesize

      375KB

      MD5

      8e4f8329f0837d6a3801dd96973a05fe

      SHA1

      7309226e370a33000c08653504f2ac5786944b2b

      SHA256

      0d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d

      SHA512

      9df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ehb0amrj.dfx.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dgypgj2j.inf
      Filesize

      619B

      MD5

      6f1420f2133f3e08fd8cdea0e1f5fe27

      SHA1

      3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

      SHA256

      aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

      SHA512

      d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      Filesize

      355KB

      MD5

      f41a73cdd753f77e4da0a16b131d67dd

      SHA1

      d213d85d0d8d39a2775549b2495680a789e981d8

      SHA256

      dff8e155e78054e4be440619c04f0bd64613ae8dbdd5f8d3ffa3a0f7a9f78ed2

      SHA512

      58384b24d9e2620295363db801923e7f34d92297ba57d3eed51adb5c195b5dc4eecb37403c9f06ac92e86d27cf853e56fd44c48562bdb69dea6aa78b216c6c42

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip
      Filesize

      461KB

      MD5

      1a51a402b6b5f79648f02dbfd0cc7879

      SHA1

      cf3d0cecdfe552e82abc25efdd0d706dcf6d2d4c

      SHA256

      059f64eb1e0b0e6806dbe21c3d542cf89d9b1a91345df2f60c2dcc18ff124de4

      SHA512

      be834f24b3f60d4f27f5500e28d6d871c438ee9dcc0e5fbe0a9e127d98c554de2d38eecd2f70302af06a1e861a073a8fb9dac0dd87161ac4c19ce6d87855705d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
      Filesize

      252KB

      MD5

      e5d01a5a8cc5c5ca9a5329459814c91a

      SHA1

      00ec50ab1cdab87816ec0f3e77fa8ad00ea9c067

      SHA256

      612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6

      SHA512

      2d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
      Filesize

      84KB

      MD5

      15ee95bc8e2e65416f2a30cf05ef9c2e

      SHA1

      107ca99d3414642450dec196febcd787ac8d7596

      SHA256

      c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

      SHA512

      ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

      Download Submit

    • memory/436-76-0x000000001BD10000-0x000000001BD1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/436-73-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2936-96-0x00000264FD8A0000-0x00000264FD8C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3500-5-0x000000001BCE0000-0x000000001BD7C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3500-1-0x000000001BB90000-0x000000001BC36000-memory.dmp

      Filesize

      664KB

      Download

    • memory/3500-2-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3500-0-0x00007FFB98C55000-0x00007FFB98C56000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3500-3-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3500-4-0x000000001C4A0000-0x000000001C96E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3500-41-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4192-44-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4192-52-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4192-40-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4192-42-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4300-49-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4300-21-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4300-19-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/4300-18-0x00007FFB989A0000-0x00007FFB99341000-memory.dmp

      Filesize

      9.6MB

      Download