Analysis
-
max time kernel
192s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 00:28
Static task
static1
Behavioral task
behavioral1
Sample
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe
Resource
win10v2004-20221111-en
General
-
Target
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe
-
Size
193KB
-
MD5
b87bf62b4846f5269f6d64ae2d75ff14
-
SHA1
510c10e170a0c2e7199bddecde925e9412d69c5b
-
SHA256
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac
-
SHA512
92b041718f5a517f045c2cb45ce76bbc59de41777e3cd19574152b178e3754fc6b03686280ee17ed288396388f6f15e10124a8248dff646e501ebf0b31f2710d
-
SSDEEP
6144:kNWh6VjKOGLKkqheTcY6b35k8Mmhf5m0U:AjPGCeTcY6b3bMM5
Malware Config
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1496-135-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/1496-137-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/1496-141-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/4264-160-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/4748-172-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/4264-173-0x0000000000400000-0x000000000041E000-memory.dmp netwire behavioral2/memory/4748-178-0x0000000000400000-0x000000000041E000-memory.dmp netwire -
Executes dropped EXE 7 IoCs
Processes:
Host.exeAppMgnt.exehknswc.exeHost.exeAppMgnt.exehknswc.exeAppMgnt.exepid process 1472 Host.exe 4864 AppMgnt.exe 540 hknswc.exe 4264 Host.exe 3476 AppMgnt.exe 4748 hknswc.exe 2160 AppMgnt.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exeAppMgnt.exeHost.exehknswc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation AppMgnt.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Host.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation hknswc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exeHost.exehknswc.exedescription pid process target process PID 2640 set thread context of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 1472 set thread context of 4264 1472 Host.exe Host.exe PID 540 set thread context of 4748 540 hknswc.exe hknswc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exeAppMgnt.exepid process 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 4864 AppMgnt.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exeAppMgnt.exeHost.exeAppMgnt.exehknswc.exeAppMgnt.exedescription pid process Token: SeDebugPrivilege 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe Token: SeDebugPrivilege 4864 AppMgnt.exe Token: 33 4864 AppMgnt.exe Token: SeIncBasePriorityPrivilege 4864 AppMgnt.exe Token: SeDebugPrivilege 1472 Host.exe Token: SeDebugPrivilege 3476 AppMgnt.exe Token: 33 3476 AppMgnt.exe Token: SeIncBasePriorityPrivilege 3476 AppMgnt.exe Token: SeDebugPrivilege 540 hknswc.exe Token: SeDebugPrivilege 2160 AppMgnt.exe Token: 33 2160 AppMgnt.exe Token: SeIncBasePriorityPrivilege 2160 AppMgnt.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exeAppMgnt.exeHost.exehknswc.exedescription pid process target process PID 2640 wrote to memory of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 2640 wrote to memory of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 2640 wrote to memory of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 2640 wrote to memory of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 2640 wrote to memory of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 2640 wrote to memory of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 2640 wrote to memory of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 2640 wrote to memory of 1496 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe PID 1496 wrote to memory of 1472 1496 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe Host.exe PID 1496 wrote to memory of 1472 1496 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe Host.exe PID 1496 wrote to memory of 1472 1496 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe Host.exe PID 2640 wrote to memory of 4864 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe AppMgnt.exe PID 2640 wrote to memory of 4864 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe AppMgnt.exe PID 2640 wrote to memory of 4864 2640 57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe AppMgnt.exe PID 4864 wrote to memory of 540 4864 AppMgnt.exe hknswc.exe PID 4864 wrote to memory of 540 4864 AppMgnt.exe hknswc.exe PID 4864 wrote to memory of 540 4864 AppMgnt.exe hknswc.exe PID 1472 wrote to memory of 4264 1472 Host.exe Host.exe PID 1472 wrote to memory of 4264 1472 Host.exe Host.exe PID 1472 wrote to memory of 4264 1472 Host.exe Host.exe PID 1472 wrote to memory of 4264 1472 Host.exe Host.exe PID 1472 wrote to memory of 4264 1472 Host.exe Host.exe PID 1472 wrote to memory of 4264 1472 Host.exe Host.exe PID 1472 wrote to memory of 4264 1472 Host.exe Host.exe PID 1472 wrote to memory of 4264 1472 Host.exe Host.exe PID 1472 wrote to memory of 3476 1472 Host.exe AppMgnt.exe PID 1472 wrote to memory of 3476 1472 Host.exe AppMgnt.exe PID 1472 wrote to memory of 3476 1472 Host.exe AppMgnt.exe PID 540 wrote to memory of 4748 540 hknswc.exe hknswc.exe PID 540 wrote to memory of 4748 540 hknswc.exe hknswc.exe PID 540 wrote to memory of 4748 540 hknswc.exe hknswc.exe PID 540 wrote to memory of 4748 540 hknswc.exe hknswc.exe PID 540 wrote to memory of 4748 540 hknswc.exe hknswc.exe PID 540 wrote to memory of 4748 540 hknswc.exe hknswc.exe PID 540 wrote to memory of 4748 540 hknswc.exe hknswc.exe PID 540 wrote to memory of 4748 540 hknswc.exe hknswc.exe PID 540 wrote to memory of 2160 540 hknswc.exe AppMgnt.exe PID 540 wrote to memory of 2160 540 hknswc.exe AppMgnt.exe PID 540 wrote to memory of 2160 540 hknswc.exe AppMgnt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe"C:\Users\Admin\AppData\Local\Temp\57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe"C:\Users\Admin\AppData\Local\Temp\57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\57842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgnt.exe.logFilesize
676B
MD5306dcf8451f1d1c4ea678200dba1150d
SHA1d1d7cbb50687b1dccddc86e10018bb5e3b25fd45
SHA256a499000e9be82b2f5c2aaec440ace36ea9f22acc18d7117e68de70a7e5743e61
SHA512f51f6b58115e377619f458838f68d52d316a16c461fdeca721370252266eaf21068053c2a9d278ff551492e8b55b90e3c1fd8f985d6d4442c5d01347d188b414
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
193KB
MD5b87bf62b4846f5269f6d64ae2d75ff14
SHA1510c10e170a0c2e7199bddecde925e9412d69c5b
SHA25657842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac
SHA51292b041718f5a517f045c2cb45ce76bbc59de41777e3cd19574152b178e3754fc6b03686280ee17ed288396388f6f15e10124a8248dff646e501ebf0b31f2710d
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
193KB
MD5b87bf62b4846f5269f6d64ae2d75ff14
SHA1510c10e170a0c2e7199bddecde925e9412d69c5b
SHA25657842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac
SHA51292b041718f5a517f045c2cb45ce76bbc59de41777e3cd19574152b178e3754fc6b03686280ee17ed288396388f6f15e10124a8248dff646e501ebf0b31f2710d
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
193KB
MD5b87bf62b4846f5269f6d64ae2d75ff14
SHA1510c10e170a0c2e7199bddecde925e9412d69c5b
SHA25657842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac
SHA51292b041718f5a517f045c2cb45ce76bbc59de41777e3cd19574152b178e3754fc6b03686280ee17ed288396388f6f15e10124a8248dff646e501ebf0b31f2710d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exeFilesize
16KB
MD5ed1b702a5f7438b5e5367c593cdabc18
SHA1bbff6d30646258a4fa45db70e8832c7a209e523b
SHA2568817afe4d33513ce8f7de3904a77c062a736806d6e94c70341398cb2d1a3d3e4
SHA512dcf0289078fd05ac0820804fddf85660b8550972911db79c2dd7d8ffb6ebb63b96f7851cf4ebc7780c9fca8e1351d440258b8326c6ed20e6ce5e69ac9b416f07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exeFilesize
16KB
MD5ed1b702a5f7438b5e5367c593cdabc18
SHA1bbff6d30646258a4fa45db70e8832c7a209e523b
SHA2568817afe4d33513ce8f7de3904a77c062a736806d6e94c70341398cb2d1a3d3e4
SHA512dcf0289078fd05ac0820804fddf85660b8550972911db79c2dd7d8ffb6ebb63b96f7851cf4ebc7780c9fca8e1351d440258b8326c6ed20e6ce5e69ac9b416f07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exeFilesize
16KB
MD5ed1b702a5f7438b5e5367c593cdabc18
SHA1bbff6d30646258a4fa45db70e8832c7a209e523b
SHA2568817afe4d33513ce8f7de3904a77c062a736806d6e94c70341398cb2d1a3d3e4
SHA512dcf0289078fd05ac0820804fddf85660b8550972911db79c2dd7d8ffb6ebb63b96f7851cf4ebc7780c9fca8e1351d440258b8326c6ed20e6ce5e69ac9b416f07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exeFilesize
16KB
MD5ed1b702a5f7438b5e5367c593cdabc18
SHA1bbff6d30646258a4fa45db70e8832c7a209e523b
SHA2568817afe4d33513ce8f7de3904a77c062a736806d6e94c70341398cb2d1a3d3e4
SHA512dcf0289078fd05ac0820804fddf85660b8550972911db79c2dd7d8ffb6ebb63b96f7851cf4ebc7780c9fca8e1351d440258b8326c6ed20e6ce5e69ac9b416f07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exeFilesize
193KB
MD5b87bf62b4846f5269f6d64ae2d75ff14
SHA1510c10e170a0c2e7199bddecde925e9412d69c5b
SHA25657842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac
SHA51292b041718f5a517f045c2cb45ce76bbc59de41777e3cd19574152b178e3754fc6b03686280ee17ed288396388f6f15e10124a8248dff646e501ebf0b31f2710d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exeFilesize
193KB
MD5b87bf62b4846f5269f6d64ae2d75ff14
SHA1510c10e170a0c2e7199bddecde925e9412d69c5b
SHA25657842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac
SHA51292b041718f5a517f045c2cb45ce76bbc59de41777e3cd19574152b178e3754fc6b03686280ee17ed288396388f6f15e10124a8248dff646e501ebf0b31f2710d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exeFilesize
193KB
MD5b87bf62b4846f5269f6d64ae2d75ff14
SHA1510c10e170a0c2e7199bddecde925e9412d69c5b
SHA25657842c793bb7e85d0056595b2b1ba36f87b7e2b805ab7de9709b75d33b9368ac
SHA51292b041718f5a517f045c2cb45ce76bbc59de41777e3cd19574152b178e3754fc6b03686280ee17ed288396388f6f15e10124a8248dff646e501ebf0b31f2710d
-
memory/540-153-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/540-150-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/540-148-0x0000000000000000-mapping.dmp
-
memory/1472-166-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/1472-142-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/1472-151-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/1472-138-0x0000000000000000-mapping.dmp
-
memory/1496-137-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1496-134-0x0000000000000000-mapping.dmp
-
memory/1496-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1496-135-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2160-179-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/2160-177-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/2160-175-0x0000000000000000-mapping.dmp
-
memory/2640-154-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/2640-132-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/2640-133-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/3476-174-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/3476-165-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/3476-162-0x0000000000000000-mapping.dmp
-
memory/4264-160-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4264-155-0x0000000000000000-mapping.dmp
-
memory/4264-173-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4748-167-0x0000000000000000-mapping.dmp
-
memory/4748-172-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4748-178-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4864-146-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/4864-161-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/4864-152-0x0000000074CE0000-0x0000000075291000-memory.dmpFilesize
5.7MB
-
memory/4864-143-0x0000000000000000-mapping.dmp