Overview

overview

10

Static

static

10

Kaspersky.exe

windows7-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Kaspersky.exe

  • Size

    93KB

  • MD5

    327274bc008bf3d8e260af2a4b70d059

  • SHA1

    d4058bac2970b6d2da5b77c3fb5dffeec236262c

  • SHA256

    a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75

  • SHA512

    bae8fc052a696de14760336a896290f304182024cfdd5176f112d93f0d7e14b6a632b0e7e01f3744df1dc5f7b9e003d61088a900a7ed7b2ad2797250d725757b

  • SSDEEP

    1536:7V4FQWqkqqoLc2m+isjEwzGi1dDsDMgS:7V4mkqqoA2xiti1dal

Score
10/10
njratcheaterdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

cheater

C2

hakim32.ddns.net:2000

2.tcp.eu.ngrok.io:17350
Mutex

09a86df6668fdfee2a06a5034dda1e09

Attributes
  • reg_key

    09a86df6668fdfee2a06a5034dda1e09

  • splitter

    |'|'|

Signatures

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
    evasiontrojan
  • Njrat family
    njrat
  • UAC bypass 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    defense_evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 6 IoCs

    remove IFEO.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe
    "C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\server.exe
      "C:\Users\Admin\server.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2764
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2464
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2804
      • C:\Users\Admin\AppData\Local\Temp\tmpB960.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpB960.tmp.exe"
        3⤵
        • Modifies Windows Defender DisableAntiSpyware settings
        • UAC bypass
        • Windows security bypass
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2992
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\tmpB960.tmp.exe" /rl HIGHEST /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\tmpB960.tmp.exe" /rl HIGHEST /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmpB960.tmp.exe'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2980
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "GoogleUpdateTaskMachineUK"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /f /tn "GoogleUpdateTaskMachineUK"
            5⤵
              PID:836
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1224
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4e4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1564

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Event Triggered Execution

    2
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Event Triggered Execution

    2
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    5
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    4
    T1562.001

    Indicator Removal

    1
    T1070

    Clear Persistence

    1
    T1070.009

    Modify Registry

    7
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$I3QXY75.vsdm
      Filesize

      544B

      MD5

      e0eaf854fc85f3f3956b8dc8a2d098d7

      SHA1

      31c9630109e12a2a9d64ed14a1335dc32f1b9205

      SHA256

      e9f1fa074607c151f21ad64e0b8ea62c59802c8c75d41a9cdcbe5d8cdb4ee61b

      SHA512

      f057649ca4213c9ea9995ad2dd7ae998e22351e4e2af312eff2fee706ef715ea68a2a9f01f51cd07bf6245f1b862cafb2d5d961154b537ac55dd4a597ef6ca9b

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$I8VSUZF.xhtml
      Filesize

      544B

      MD5

      37adffff0e0205d51954fa68f5e4134a

      SHA1

      c747a8e9eff13cefbadb236f1c67e32d4a54a6e1

      SHA256

      aea8c4a36e98ccc64f86226e7ab36ec301644fad80fbb04fb873eb9bc8b733ac

      SHA512

      929cb0ee15156aea5532050d09cd857b34ac369912241b15c57dcecbce8ed812757836f7fa72022b8cd67bdab43b6df93285a6419ae5d109c59f726162d59373

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$I9NIUL9.xlsx
      Filesize

      544B

      MD5

      1290a74a427f07dba0daa0efbf19ec0a

      SHA1

      b06dc33dbd4ca4f9ede7da507dc71e472be79450

      SHA256

      5a116aabe674b4550557031b3a335cc092a4fbb007f6be133bdf925dc8a011d8

      SHA512

      d1fb8d0d64df1783bf804bdd1340b957d7e6c892d7464f219788cebb2e00a48babf3ba3580bc01862aece4e3e85bb0381fc69143a0c47b702b24f4a641c289a7

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$ID6NNOC.rtf
      Filesize

      544B

      MD5

      53a6005ee381f2a1ffb68edf7092e735

      SHA1

      876c36b31bcc9ee9516587b0b4b1a9986723b20d

      SHA256

      1ee5c9fcf6c8fa3a23c0f7649d0ce15417d7416c8cb6630acc59d6dcef594917

      SHA512

      94a8ef47917bc38a71b524263fb5dac8ffe86a5939c17f6a8f14d2bff350ca32dd24392a0d6fda01b83b3f616686145f44999b546ada479fd826faf3f9ac3d48

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$IDDXQQ7.tif
      Filesize

      544B

      MD5

      7fe4edc616397ed2c035365fad021063

      SHA1

      2a560e6e16e9fcd0ce2a034103c8eabc7f84475b

      SHA256

      016a2e75fc831402e16a009996b63079e5638ea6b32049a2ff62d5a0a38d219e

      SHA512

      b0bf6e834e43f5da54b40e61eacea0232e2213edc0b7d8023e267aa976358d0314551e2fff283ac55866e1494bb5cb4fe8a8762f6e99e648eb56a4d1afb17052

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$IHDCHLT.emf
      Filesize

      544B

      MD5

      219ba2376a9826c73e4581c5ab144f74

      SHA1

      544e94366f9529f5bfce8dbe1aae1ef815b392aa

      SHA256

      f0659a1acb90759be6f70eef53844cf41359088d59ebdb81b05487a900c0bb17

      SHA512

      dca4745503a36be67a6b7a4972a2ac778f3cb8123b57180e80e13c407086cb1ec29770e082a97547c677f812167bd7576b52050f2f8d03ebc8dd93d5a0e43944

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$II92HRM.docx
      Filesize

      544B

      MD5

      b35556ccbf291bf9af9cc07a3a936d53

      SHA1

      11bc1a04c5f63391291c5dd494e085f908595741

      SHA256

      f8b3daf6daef58d49e0505d9daceae2834f3d7f32e188c529d43aeb3f104b0b2

      SHA512

      8fdac881528d2753e542f8c2993a3e36eb6e909c39d891f2ad0882b5cb50671e40f651bf854cc611d55cef291af732e929d50cd9d83a590e7799763a1df3f480

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$INFR4H3.xlsx
      Filesize

      544B

      MD5

      248d65abaa6299cf643e5ee6af38cd69

      SHA1

      4e134c2cecf5dd0305748951a50069868171d561

      SHA256

      52a2ab326cd0312056ee67c6fed94cde60633df99b32f121b25ab28b51c1e188

      SHA512

      403167286faf1b6b578bc303b786021ad7b2dc55a832037c978569e3840aa9cf520c3a37d9cac3a5847c64ec34e5fefdb15aacd52a281b934a252fc878ca6f79

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$IOS84TH.lnk
      Filesize

      544B

      MD5

      c06033c6c174c335096eb3e9f8b76f85

      SHA1

      ea21b23fdf113f55a511c84a8c49fa425923588e

      SHA256

      deb6054572e1e46e525dabe30da832211c686f95f7093d7ca5c115864b3c09f3

      SHA512

      b7531f1ad64098e84b83cbef53bba11ddf3e2614975d95cb57de6d93a3080ea240aa723f9eb41253c4fb6fde7331931ad9148d265ab4b0cde7bed8ff1f170a6f

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$ISOKIWO.aiff
      Filesize

      544B

      MD5

      32ae3f6ff3daa94fb6eb2e3f4c095e01

      SHA1

      ea57502ffa766552c255334072df0e3c8a13c247

      SHA256

      880389d036d1b8cf147b72fc3e6e0dd5ebcfc0154a2194056367c2319b67e2ab

      SHA512

      72ffc22c6cece12d5716f6cf70a863423d10091185207b0e72db32406184d76b1ed3ee3753b8ca4dec7655d44170533ac234a31d36d891abef2f33c0ff643f84

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$IWIW9V7.eps
      Filesize

      544B

      MD5

      eaeefb7c9f2c297528d86db4ea60dd39

      SHA1

      3aa8d1d8d953587e19ff311e8ee461adc4c4537b

      SHA256

      437aac904406bc920061352b554735c6ce445bb1bb1d7642e50c53f364a6d9ee

      SHA512

      bc453a35a41d6ac8d4ddd1cf725992d27d9f825a66eee654e0701b3dc534691d59eff8a59f0edda4c20ae959b1d5977f877cc5d5e9bdde1cf176b86d77236212

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$IXG1CV3.xlsb
      Filesize

      544B

      MD5

      5a9218780f144cbc800c96dcb17a30b8

      SHA1

      0f2aa6c2bf40d4c0997801142d285858abb3416e

      SHA256

      3d017d4ccd973b43285b1e098af9685651d4fe8604d6dd39d3e0426650228eb8

      SHA512

      238b4486140eb40a1af2191c7625f0d208bc47efb827f02f4aa7bbac92e11fe1d225301e3142ede9fbf98e8015e478d7f963d47955ea461c6a75e814a1d844db

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\$IZ4JFC6.zip
      Filesize

      544B

      MD5

      d8d48f32911625ccc18a289010571910

      SHA1

      b55de2c2c4728f02fa9db7ac0e3acff1277da239

      SHA256

      2aac81e799b4d3f3e753218306927d251df83867d1514aa57568c35b88ce292a

      SHA512

      1c13f5b8b2ac3efbcb2e212f8262e91b15e08cea24d2b15321d42dc347dbefee7eb79f7be9a65940ac09da0c348376f06bd4d57ce0794d6cd42b11acfe00521f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\app
      Filesize

      5B

      MD5

      112317d572ce0538d2d1b20d7f32170e

      SHA1

      c7f3714c4806b907bcff7f79aa1d1c9373b77d1e

      SHA256

      fd9e9a8be71786826787d6eb9aa28371d09b0515ddf0c19b082fe7bac57a88a9

      SHA512

      265dbebc83c74dc97770e650580b0321144990d133403bab2bc1de4618cde63dfd4fedfa56b5e4e259b510585db0f7a59042c356356c56bea3ac861d4be5337f

      Download Submit

    • C:\Users\Admin\Desktop\BlockConvert.zip
      Filesize

      392KB

      MD5

      b6a2bcf0fe6f44bf574133253dc03b34

      SHA1

      1620fed204d915afdfa7e89a9431bb430bbda8b2

      SHA256

      a8da723784da463180e84d676f2b682aceec71da2278ddad3d1176fca97761c0

      SHA512

      022262cbc52c768f18724b75d1e3ae0aa5b2f6f077b4d7bec4a0bf47dae78efb506d4c3081de61e817ca4a35203d611b3a241e0dd7e33bdcb5d573031581bec4

      Download Submit

    • C:\Users\Admin\Desktop\ClearCheckpoint.xlsx
      Filesize

      9KB

      MD5

      80f149f5fcd67f94687e1891f4f57a3d

      SHA1

      cec921d93c29dc0200a182f0aa124bb152486063

      SHA256

      9c4a2ce69be12549ff201665313e464d1cbf56281d8b3ca3fa7c2d3219d343e1

      SHA512

      c8562569723db442ed65d5dcfc11b5846d0bf4a17dd314c90a5b13ff7c53302f9f9331dc84711d541a10b949714a6136a965604dae485256e61b4f11dd739507

      Download Submit

    • C:\Users\Admin\Desktop\CompleteInvoke.xhtml
      Filesize

      410KB

      MD5

      2593cd6867b1b0cffc691fe385cc1316

      SHA1

      c814aaded8dd6f151909c905897f8a99b7c2033f

      SHA256

      9d9d9558850566fc91bef89cb757e09a5f75ef1612d0743b20ac4d6bfe62d560

      SHA512

      081c7770b26b70197268ba01b425939b00189eae785a02151fd463441a9cb290a6e98ae14ce46cde6ff6eafb39dac6488846b2b4efa746e550698f829f59f5d4

      Download Submit

    • C:\Users\Admin\Desktop\ConvertFromReceive.emf
      Filesize

      374KB

      MD5

      712a6229b9e80b64dd3e0b7386a1132b

      SHA1

      20b61340fdfea09d671e57307c155f695571bf45

      SHA256

      03ae823163403219d6c054bcfd05c735fa53e37cd0ff97cc7a1467b141d7b57d

      SHA512

      f34ea783d50b60dc9886b23f2c8b9a1d2a896b997fd64499c074d7b7760a158ca53f7c90c100562ba59de1a8e14b11a7862171fc16cd5f26117f012d9b3d9351

      Download Submit

    • C:\Users\Admin\Desktop\ConvertShow.eps
      Filesize

      301KB

      MD5

      4bb833ab7cfabef3d25a88497bc98a5e

      SHA1

      24e7dcd59ddd6118115574e2d14e9e18d84310e6

      SHA256

      ed0767771f5409e4d632cd926590ee7c38c5f8934d1cdcc2e741ad96fa18b7ea

      SHA512

      0d367c0027c11f17b7a40219442335bf56ba2091ec105986b26017e02d9082ec744a91436a7953bfec796113669696db22735fd472f57dd1f6aaabac1e232c14

      Download Submit

    • C:\Users\Admin\Desktop\DebugSwitch.aiff
      Filesize

      447KB

      MD5

      ccb2f6154393ed79b02438c7a5243b62

      SHA1

      f5b637d5768e75a173f27612a847bf6446ceb5fb

      SHA256

      4909e8746d39ae6bfe61f6b8c5f53c4c36e7c9c0dc64ca7b7f5e6baaafd9fffb

      SHA512

      5ae550736655dfdccfba9b41d095f04c65acd2c678bc9e58cca8bb4b0d74bb083f19066a274bc167162b71f0ad9e72ff138e924c366a7a27fbf93ea75eca9a78

      Download Submit

    • C:\Users\Admin\Desktop\DenyRestore.xlsb
      Filesize

      337KB

      MD5

      3a50d2a6b85488408f60316cdecdc87b

      SHA1

      e037e8bd3f4aed4f1d3d72db128b1485aac6ccf2

      SHA256

      b848b67f71123c5b911092b929be8a05d9f28797258b84acc32596eafea72c9d

      SHA512

      c671470a4132071e9e075473764fa0cc2c3f0f449947ea063f600e7b4c52209bcf3ce9dfc28f36b946ad0b4afcedc36d84233bd8d3a0e8580d454600a10f7060

      Download Submit

    • C:\Users\Admin\Desktop\DenyUpdate.rtf
      Filesize

      648KB

      MD5

      b3614769d2528c6577786c5e062863db

      SHA1

      585cdaf1041e1a08fcc92e4e559c1c206a562592

      SHA256

      744e27a26792de435ce2a75557e864450d84f698c3df503c19695d7211233bc5

      SHA512

      b4d8a9441b125c34f0da7840b4ea7471a2b0571424f30b20ae02f69ce8bc1eb3d2b4e7d948241f9173ab5acb78466c086fa3807110105a132c8374ad7ade489b

      Download Submit

    • C:\Users\Admin\Desktop\DisconnectEnable.lnk
      Filesize

      483KB

      MD5

      70b9cb7029544a12c7ceda9766fc9cb9

      SHA1

      cbac98203403bd13545cb629de72745aef191d79

      SHA256

      2bccbe2773e7bd3a8cfda58366cae8bdbf1a4429056f529416518121988f1ea9

      SHA512

      55a68a79d2b6fa6d7086f75f4905fe4bd878229d812e2c418f65af800d342906c6837212849e5bbf870efb543f62b236868aa1ecd2bf22d0d42f6d5389009228

      Download Submit

    • C:\Users\Admin\Desktop\EnableApprove.xlsx
      Filesize

      10KB

      MD5

      055b1aa7be127bec92d0f352681752fd

      SHA1

      a6382a75b0c6c65d6947a27a52db8077fee34211

      SHA256

      b206db309cf5edfe2282ad803694018e3768f8497a904883d689f51122aa3800

      SHA512

      30df076e156a77fd2f1a9842e238f2cde5df623ed1fe0402c949aacfbf8564e038bab324d4ec3ee5c3ef989680ef76d3ca092f5aefa8cd66f687d52a43e4d555

      Download Submit

    • C:\Users\Admin\Desktop\ExpandConvert.tif
      Filesize

      538KB

      MD5

      baf025960487aa5d3beade76a87f91be

      SHA1

      1116160dd0999528a6ffce40587f35510ae5ac7c

      SHA256

      78884e1a848024634d5f66863bc2eb709b3ff9b4f5597a35a9e35e7f65a3d331

      SHA512

      2c23457fcce96c404bc3705b6698bd5d62753f73b69758070398c4bd7730c6cb1248b66759c99eb6ae2340b625e8a1a179b453ee920917380fca4f6e46690d1c

      Download Submit

    • C:\Users\Admin\Desktop\ExpandWrite.docx
      Filesize

      703KB

      MD5

      a369d72538676faed7bf5ad6238178ff

      SHA1

      c7d4c3b808c79e9c37629622cdd858287a195584

      SHA256

      49c6c5f0aeb37f910128adb8e82c8bba5ed35b44640e624689cb5286553feaca

      SHA512

      4be30ad5b25d218a7e70d3162b76bf5d83419c1abfda06ca244b9f3dad28e27835a0ab9903c4c447dcb7c9facf62ebd0b43e8c66c1999e32be68a8fb459643de

      Download Submit

    • C:\Users\Admin\Desktop\GrantSuspend.vsw
      Filesize

      757KB

      MD5

      ca2cffea3dff1f28b996c66ae3d6991b

      SHA1

      f7240c5cd52c83f1aa19feacf266847c3010f614

      SHA256

      c850d56604bf1f3fdc43fbacf77bca9f71de33e45a80536a5af442daf05e2455

      SHA512

      82133b04ada77481a9b78fb9af333407624dfd6865c0f904c07663e687ddaedb019c45651f8bee64eb7c89542e8925126e69c9d5141271ef1adcdd8eb03bc3b1

      Download Submit

    • C:\Users\Admin\Desktop\LockMount.i64
      Filesize

      721KB

      MD5

      5a6d41a96206456168a9994c972061a3

      SHA1

      c4e8ba5a4c1adb75988647ad453b5b1d8ec4d34d

      SHA256

      239d8e51b03e1de2cccd5dcd90bea04bc963212d99d0ce595206c0c165c95737

      SHA512

      ca3d0bcab516b3590ce0aca2320fdc46122b3aa9f14046361326e2bbe1a8f81693e336d2b7856df2eb980c67c6fef5aa9a46d6b6f28f36845f59a8651040c299

      Download Submit

    • C:\Users\Admin\Desktop\LockPop.html
      Filesize

      1.0MB

      MD5

      c5f150b33a6b9b339959ca1a4ff9b6f6

      SHA1

      53c349c3057b8b395a5e9085e53d09c419832a4d

      SHA256

      4758dfca723a3421739f9a271fab3dda9d42b739bf96e50c72bafc8bd624aa46

      SHA512

      0559d2e985a3502ac42c347ef240cd13f3d2a8d6ff7bc841f967eb7290bb3ab6007d0ab27d7970cc56f5628506f0f81e180fff09ac130aed87d4c501c65ab66c

      Download Submit

    • C:\Users\Admin\Desktop\PingSplit.docx
      Filesize

      19KB

      MD5

      5be197b92559ef94345acf8784a44441

      SHA1

      94442c3cdd9ddd0cda3db9887a08523daa5d261e

      SHA256

      cdb6efa81c581a8f24252fd7cdefcf12be5163294d043e5e66f2b722f1c9bf05

      SHA512

      b8756b118ab95839ed312227855a0b785ebe6016ee641d6dbff6e1c634e2484fdf513cf9e9066ce00558d360ec59ac2ba92151b20b16b597eeca32c36665546a

      Download Submit

    • C:\Users\Admin\Desktop\PingUninstall.xml
      Filesize

      684KB

      MD5

      3d200f7e5d60229927933ede893eb2b2

      SHA1

      33289a0b47acf882c60d0520ebafe70c41190c5e

      SHA256

      0579d9b8c410b2ae6c5d37884708750bb0b3105bfa95ed9223f9a7e465bc7ee4

      SHA512

      ee13e4acadc46519b312663a0c93bb4ecc6ecdf11f55de0739d567966778ae2e931116ada632fecfaefb8b90276f8b605317218c3a9d2fbe6d10c654365eaafc

      Download Submit

    • C:\Users\Admin\Desktop\ProtectUse.dxf
      Filesize

      283KB

      MD5

      d74244285e9417434e4d46a9fe852af1

      SHA1

      703fef7edc28bb945e7c51128938bb6c073c21ac

      SHA256

      34c1baa435bd962e37bb42cbee6e91fc914f6f8abf9bcf7a552bcfd2553ec544

      SHA512

      f55571052eefb1ba7f2da4f668dc0151daefd777d86128f918720608d51686241f139c5d3e593631b5499ed8d35f21d85bb09a2a49dbb94e196eeb02ef77fc42

      Download Submit

    • C:\Users\Admin\Desktop\PublishConnect.mpe
      Filesize

      520KB

      MD5

      d2cb57b354ca5bea1c4f32e8ef4a9e80

      SHA1

      0a174596e7541c915a9b292365a9f6eb9b5a1e0a

      SHA256

      f9949aee0b81a481c87c79abed88b9fb8e4260697ab4e5f9961ba75dbde88235

      SHA512

      4a290cdd79ea2e3353899c2d0edfed21a232b56fb7e5200925cb44d534cf0fe3bd9d4373f419a17566023943ae56db9a716b12d4111ebc5cc92ae925602baa99

      Download Submit

    • C:\Users\Admin\Desktop\ReadCompare.jpe
      Filesize

      557KB

      MD5

      d3589a629dd6333c000c3d734cbb65e6

      SHA1

      c50213c22491fcb8ece644bba9e5adfdc0a66661

      SHA256

      63b9176634d09994785f851b0c46ca899c538f60c434db3b6871e32c3a163b9d

      SHA512

      68932f1a0133f562673fb799483b411e0d92c4442db6a6e4a6500380421097ba3e70759cce7a57ade17bcf42e6189e44ffe72ab652bf88894b62b088ac7441d6

      Download Submit

    • C:\Users\Admin\Desktop\RedoRead.svg
      Filesize

      356KB

      MD5

      15dac5ee7c7884b31c53004c58787547

      SHA1

      60c70ffc8e30e5bfbae964a0acea6243d6fd7b90

      SHA256

      10dd3d515102493624bbac34a5329bd0d064705bc15d44b47cd37c095f7c2721

      SHA512

      f4c13841e9472fe43ff8971b3a942576147f2ecfb8b3367f2b94c5b52b57b5ec82640c2519070f1e786af36e17aabc9534f0e3756cb742ecc82fd397fd44c24c

      Download Submit

    • C:\Users\Admin\Desktop\RegisterUnblock.clr
      Filesize

      739KB

      MD5

      596ab058b74dabd09e95cbd127436675

      SHA1

      074c6d49cb51dc9db32950acef4a6397d455f286

      SHA256

      202c4e0e7c41909a2816a79f616bcfa38c7ef072278705f79655c8e8faa29ffb

      SHA512

      6f983c0e025f5e6894c9f5eb1ea9ebf2a9accdf41abaedeeb3863bd9af2fbaa7276614db0f2f55cfc6dad5487947f1f100bff6d46a1f5789c6ada6adaaa20b27

      Download Submit

    • C:\Users\Admin\Desktop\RegisterUninstall.search-ms
      Filesize

      611KB

      MD5

      2e4320f2af106cdc43e0c70727d1abca

      SHA1

      c5d52e6d056275b8bfa1cd446accefc6a7361479

      SHA256

      3e63a352e7325d609cab4d4a94d0691ed87174f5c2b7fdf745e5effc38dd97ac

      SHA512

      017ef03956e45b0b71151b0955018d3652c6a18ef79fd56783c468c36804e1e4671c3a1e0a325a4a6b7af3e8d63d108158bccbb09e6fb30df454fc460c605be4

      Download Submit

    • C:\Users\Admin\Desktop\RequestPing.mpeg3
      Filesize

      575KB

      MD5

      d8f4b7ea0e2633c65cf5a7df8bb36136

      SHA1

      53f6968998a3035708352bfff4a8d72f17e550ea

      SHA256

      7de0702d5202806056eea818f227e7b0d55a39289f59ab21a033069b398f8548

      SHA512

      b398736897449c1953b6defd28a5581bd182284f1bc62c82ee2bd50117ebe02ec155803f6bdaf0898b29754be600a5388948e3039291b8d6eb7bd67192cc7971

      Download Submit

    • C:\Users\Admin\Desktop\ResumeSplit.mp3
      Filesize

      593KB

      MD5

      b79f05efc76fc5002861b42add0d0c03

      SHA1

      aeedee643a8cfc2a674f49b2fd9ef41aa19bfb80

      SHA256

      2669283b3bd0916f9c7296b9f8d2810a22ff17d7abfd3e6d4a47a0c57687ddd0

      SHA512

      5255a0fce25209028d3c7625e9294d84e7df03fdd46b82852ff17579a07fdbf15a6ef747886aaeabe030cbd09e1d4a47cbf9f2c87fab9d299003cc08261efd95

      Download Submit

    • C:\Users\Admin\Desktop\TestRegister.mid
      Filesize

      264KB

      MD5

      a8ddb975fc251583de14e7431e804de8

      SHA1

      04339ddf16072e7317646a781e69c4c9cf4b3328

      SHA256

      7e19d010bb89bf53171944de1b5e81e807b261a5fc7c49a9c8ba24714bf578dd

      SHA512

      ebc20ca114a6d1f96d6f836908ab23f26fe8b045d2f69e38d8e50d18c71a83e8538bbb5ce111c7636f04b76d309864132c3d918dee0aa6c7242a3965abf08f07

      Download Submit

    • C:\Users\Admin\Desktop\TraceConnect.jfif
      Filesize

      502KB

      MD5

      d825864cb7138921f37f632556876dc3

      SHA1

      88c0c6f952ef547598a19c2b184e3d5509a28cc9

      SHA256

      73be7c14410c77389b12304e5dca6e89c61f3525a7027cd6197016a4e584c85d

      SHA512

      1d8587a8378fabf0c46866534bb6bc82151718efcb6593ff78e2aea732e9465faae61b073d162a4a407156b8c791ae58175ae75769cce12055535b71f8a11e79

      Download Submit

    • C:\Users\Admin\Desktop\TraceOpen.gif
      Filesize

      630KB

      MD5

      a9db0626aad8f70dbdbbaddff991bfc3

      SHA1

      e568bf10eb7a1f524fb387903befee704ca07da6

      SHA256

      400530485805947b8c49ea6f8ef6359c9ad5fcc658eb7f899542e485f26569bc

      SHA512

      0eef971d0c0f8c5299153580839b475c0418bfc9ef8d3930bc30c1a348c61e99d6014d9abe250515334654bbb4cd10e643a4998cedad839ca2fff07e9e7dfdc3

      Download Submit

    • C:\Users\Admin\Desktop\UnblockPublish.xlsx
      Filesize

      10KB

      MD5

      2cec9253c18abfae2aa51b4ffe1ff505

      SHA1

      058bc6196e5f63d3440c9c62e17e263e8ddab72f

      SHA256

      34b8ed9f03e73a6cda91df84cdc5fccc550d687373d58ce880b3b38ca0ffa6c7

      SHA512

      8f8e3d4db7da3e45686a35549015eacd6ba1db1210d2920fb2b40ac7d81d13374246f885853c428c202ee635daa7b5f0377c0b35031052daa728223b7cc731db

      Download Submit

    • C:\Users\Admin\Desktop\UninstallSave.xlsm
      Filesize

      666KB

      MD5

      09d1e8ae1f52cfd85b8dc5f813eb5f59

      SHA1

      19af5951d7b40c4854ad204380115c53b8a4951c

      SHA256

      340106189106d2c8963e36698347f30c0a7e5467a0d69ece017da39118fdf6ee

      SHA512

      4920c84582cfe8904019fc1c9d777ff345490d88e64ab7c5f883dfae08ec8e49792edbce6ee9204410f6aa33026d05f9a5256f3a57d7386351a2298d383cff98

      Download Submit

    • C:\Users\Admin\Desktop\UnregisterInvoke.midi
      Filesize

      429KB

      MD5

      063112563a821f15addafda55bff545f

      SHA1

      c7a0ee85fc05c5c127ce4fa7d4dca938f0cd5568

      SHA256

      a272c17d04f94d7800e1bc7c43e75033bb56496cf9e15689ca04ef8eef044ec1

      SHA512

      010371989ded44053e8148ac8aa3ca87b08cb0333ac449044faf9d986638105a33ff302b0889cab6c3c44593a6feaa4972067cdc5d6a4386d2803ac77be27b75

      Download Submit

    • C:\Users\Admin\Desktop\UseUnregister.vsdm
      Filesize

      465KB

      MD5

      c128cfb6015676dd60253012e8ba045b

      SHA1

      0a7763869abd20b931d70e3927865376801409bd

      SHA256

      7e2ca1b2e04016ee9c291c982cc0a385654d5cf59dc6b43eede5aa9119dc52aa

      SHA512

      089ed294aaeb697c817992ce559768b9bbcd5d3cd69be82be7e5f9af8b809aa119a6fbc12da54597c2538dfc028da7a2d1ab38400c4a12e5dbc0332e20ce7a30

      Download Submit

    • C:\Users\Admin\Desktop\WriteAdd.3g2
      Filesize

      319KB

      MD5

      667d32c08a6ab9178b591d237590adcf

      SHA1

      8159204a0f75b56bdd43a4ca15b3b41ce0cccb64

      SHA256

      2a03d54579e4f5aae3fe29b8b324a768f86a39dcb29e99ad03cf69043d601144

      SHA512

      f819f324e3ac967e8ea50aa134a27e6e0159fb5ca7e02da47e4d8903f8ec059dd780f50f74d0eb1b833094395b5b072ee5709e5a2023f455246d95f9de337b39

      Download Submit

    • \Users\Admin\AppData\Local\Temp\tmpB960.tmp.exe
      Filesize

      460KB

      MD5

      35ffa4f932d84fad0a452f6cfcaeae98

      SHA1

      b61eda9dde3cce030df22bf41116e671a27969bb

      SHA256

      a196f01202e4cc5adc1743d484bae2b3994ac09efb5de2f380e616e7bae399d1

      SHA512

      b6afe314e3a3ea275008f1fa34dc7ce31eaa97e6113a3cb4ca1a5f6b4a1b415caaae4b8d182e88bdeb8f87433ac65fc3cb15c2207de496d48624743fe669cc13

      Download Submit

    • \Users\Admin\server.exe
      Filesize

      93KB

      MD5

      327274bc008bf3d8e260af2a4b70d059

      SHA1

      d4058bac2970b6d2da5b77c3fb5dffeec236262c

      SHA256

      a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75

      SHA512

      bae8fc052a696de14760336a896290f304182024cfdd5176f112d93f0d7e14b6a632b0e7e01f3744df1dc5f7b9e003d61088a900a7ed7b2ad2797250d725757b

      Download Submit

    • memory/2120-16-0x0000000073E00000-0x00000000743AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2120-21-0x0000000073E00000-0x00000000743AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2120-52-0x00000000091C0000-0x000000000935F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2120-27-0x00000000091C0000-0x000000000935F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2120-15-0x0000000073E00000-0x00000000743AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2196-1-0x0000000073E00000-0x00000000743AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2196-2-0x0000000073E00000-0x00000000743AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2196-0-0x0000000073E01000-0x0000000073E02000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2196-14-0x0000000073E00000-0x00000000743AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2980-35-0x0000000001F80000-0x0000000001F88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2980-34-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2992-83-0x0000000000400000-0x000000000059F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2992-77-0x0000000000400000-0x000000000059F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2992-29-0x0000000000400000-0x000000000059F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2992-56-0x0000000000400000-0x000000000059F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2992-55-0x0000000000400000-0x000000000059F000-memory.dmp

      Filesize

      1.6MB

      Download