Overview

overview

10

Static

static

1

back (2).png

windows10-1703-x64

3

back (2).png

windows10-2004-x64

10

Analysis

  • max time kernel
    1199s
  • max time network
    1151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-04-2024 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    back (2).png

  • Size

    1.0MB

  • MD5

    9a23ac8c310f99cc6301971a939570cb

  • SHA1

    ae5bf076de813feaa93df4dd5145c2bd6c7e42cc

  • SHA256

    70d5c81fbdd92309a3de3647e22711ecb55550f458aecd94a668e03477c72a7a

  • SHA512

    f7c617d12706014bd5ef6f4fbd6a2db04035c400104f0e066054803d8871e6ee653eaeb7e733fab97f14f033ec0fcf79be8cb2aca3813306cc3f47af89e30581

  • SSDEEP

    24576:tr/vtJ3UiVSlkCvWjsGkYVj7f9KB/EFAPAtBA:x/vP3uWCMVp27AtG

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    nigga

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\back (2).png"
    1⤵
      PID:3484
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SelectNew.shtml
      1⤵
        PID:4584
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3964 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:4416
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3132 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
          1⤵
            PID:4620
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4836 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:1240
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5784 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:4180
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5588 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3732
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5588 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                  1⤵
                    PID:376
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5840 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                    1⤵
                      PID:4196
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6156 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                      1⤵
                        PID:2800
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6320 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                        1⤵
                          PID:1972
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6480 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                          1⤵
                            PID:2476
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6636 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                            1⤵
                              PID:2880
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6836 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                              1⤵
                                PID:1716
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6368 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                                1⤵
                                  PID:1172
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5604 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                                  1⤵
                                    PID:1616
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=5836 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
                                    1⤵
                                      PID:3020
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5636 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                                      1⤵
                                        PID:4004
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7124 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                                        1⤵
                                          PID:3916
                                        • C:\Windows\System32\rundll32.exe
                                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                          1⤵
                                            PID:632
                                          • C:\Users\Admin\Downloads\Release\xeno rat server.exe
                                            "C:\Users\Admin\Downloads\Release\xeno rat server.exe"
                                            1⤵
                                            • Modifies registry class
                                            • Suspicious behavior: GetForegroundWindowSpam
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4056
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                                            1⤵
                                            • Drops file in Program Files directory
                                            • Enumerates system info in registry
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of WriteProcessMemory
                                            PID:1940
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x2b4,0x7ffc9b282e98,0x7ffc9b282ea4,0x7ffc9b282eb0
                                              2⤵
                                                PID:4912
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2200 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:2
                                                2⤵
                                                  PID:3572
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2244 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:3
                                                  2⤵
                                                    PID:2592
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2388 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                    2⤵
                                                      PID:2180
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4400 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                      2⤵
                                                        PID:804
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4400 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                        2⤵
                                                          PID:3976
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                          2⤵
                                                            PID:4460
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4540 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                            2⤵
                                                              PID:1884
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4696 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                              2⤵
                                                                PID:4872
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4640 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                                2⤵
                                                                  PID:3492
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4608 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                                  2⤵
                                                                    PID:2204
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4448 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                                    2⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:4576
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4424 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                                    2⤵
                                                                      PID:4484
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=2204,i,1906205602045566019,7345650782771235005,262144 --variations-seed-version /prefetch:8
                                                                      2⤵
                                                                        PID:644
                                                                    • C:\Users\Admin\Desktop\nn.exe
                                                                      "C:\Users\Admin\Desktop\nn.exe"
                                                                      1⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      PID:4156
                                                                      • C:\Users\Admin\AppData\Roaming\XenoManager\nn.exe
                                                                        "C:\Users\Admin\AppData\Roaming\XenoManager\nn.exe"
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        PID:4040
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          "schtasks.exe" /Create /TN "nigga" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E8.tmp" /F
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:1516
                                                                    • C:\Users\Admin\Downloads\hehe.exe
                                                                      "C:\Users\Admin\Downloads\hehe.exe"
                                                                      1⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      PID:4608
                                                                      • C:\Users\Admin\AppData\Roaming\XenoManager\hehe.exe
                                                                        "C:\Users\Admin\AppData\Roaming\XenoManager\hehe.exe"
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        PID:3864
                                                                    • C:\Windows\system32\taskmgr.exe
                                                                      "C:\Windows\system32\taskmgr.exe" /4
                                                                      1⤵
                                                                      • Checks SCSI registry key(s)
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      • Suspicious use of SendNotifyMessage
                                                                      PID:4988
                                                                    • C:\Windows\System32\_iyiwy.exe
                                                                      "C:\Windows\System32\_iyiwy.exe"
                                                                      1⤵
                                                                        PID:1320

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nn.exe.log
                                                                        Filesize

                                                                        226B

                                                                        MD5

                                                                        916851e072fbabc4796d8916c5131092

                                                                        SHA1

                                                                        d48a602229a690c512d5fdaf4c8d77547a88e7a2

                                                                        SHA256

                                                                        7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

                                                                        SHA512

                                                                        07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                        Filesize

                                                                        280B

                                                                        MD5

                                                                        80f1696f9da0e4235c619447434b8ce9

                                                                        SHA1

                                                                        6b99cf1c1ff96246feb2953e924c4f1c21ab4c22

                                                                        SHA256

                                                                        dc90753ff0d86608f929466f95bc6b553ac17a7fd2d14b5a858c12b65346fcc7

                                                                        SHA512

                                                                        a2e99550a491a9247a8c1a039e70ddda7810da8c6a8bb1abe1bd34c0afc1ad6890251137dcf533a614b310abd38c61eb8aa57a75e89dad8660eb171052cf1528

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
                                                                        Filesize

                                                                        2B

                                                                        MD5

                                                                        99914b932bd37a50b983c5e7c90ae93b

                                                                        SHA1

                                                                        bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                        SHA256

                                                                        44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                        SHA512

                                                                        27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
                                                                        Filesize

                                                                        3KB

                                                                        MD5

                                                                        e295937872375b62ad4421eea002ba61

                                                                        SHA1

                                                                        d03657e9b90a8efa4b2cff7895b03c9c2539dc1c

                                                                        SHA256

                                                                        679114ec31f9336efc1a873d7ee2eca71537a68013b73664ef87d05d9cb95cd5

                                                                        SHA512

                                                                        1753353c416a608f95f1cc8133a40da985ce9158e3ddbbdc81769893bf1e341be4b7a30f6955af61c4b67be5adad64f9c6488f54983c841664a7cfcd0823a6d9

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                                                                        Filesize

                                                                        2B

                                                                        MD5

                                                                        d751713988987e9331980363e24189ce

                                                                        SHA1

                                                                        97d170e1550eee4afc0af065b78cda302a97674c

                                                                        SHA256

                                                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                        SHA512

                                                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
                                                                        Filesize

                                                                        40B

                                                                        MD5

                                                                        20d4b8fa017a12a108c87f540836e250

                                                                        SHA1

                                                                        1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                                                        SHA256

                                                                        6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                                                        SHA512

                                                                        507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                        Filesize

                                                                        13KB

                                                                        MD5

                                                                        563cc953e107a36e6451b03174d48a37

                                                                        SHA1

                                                                        364d583a31299f7d936f6689627471d8c077c4f0

                                                                        SHA256

                                                                        947d6d584f002b262bfe4ed1865c8a8a8faa4449559b3661bbf600ac8c826cb6

                                                                        SHA512

                                                                        df29650fddface05d744775874ca87b2df3e60c1055b6fb4c2dc1253bebd0bc1eba77bc705b9fc4b2638b2ba50ce37d744e03d2eb027ca5906c02cac3c007b16

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                                        Filesize

                                                                        30KB

                                                                        MD5

                                                                        e4eae676553cc1f66ed60d5e28d5c0ad

                                                                        SHA1

                                                                        8626216ad83fe99127b86e5bb897c38b5698c91d

                                                                        SHA256

                                                                        403491a45327e2cfe55bf463c98b5adb6a9ade46493dfaa7f019753dbc72488c

                                                                        SHA512

                                                                        3a2d19bd23474af0647904ee8fbf8390b578e8f322ca833d572ee9d996ce1fc190d2b5fc511653e2a770b8518fafa44e3123d1ecfc10996bc2a401b0d57c1d81

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        86KB

                                                                        MD5

                                                                        940ff1b9c7aaeea53ef983ba61314db7

                                                                        SHA1

                                                                        6beb7526abf10bc4755fff5f4d969c8bbc80fb58

                                                                        SHA256

                                                                        ed5726140016043b644992311fcd7808e8f12388e197ae4f0d588cba2f533eaf

                                                                        SHA512

                                                                        65ddca60358e574de9125365422de109e30cea6d01a9054acab503055d1d761482495880b4d246340beb1138768757865fe64dcd767531b28ad67ad3aad863b9

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                        Filesize

                                                                        76KB

                                                                        MD5

                                                                        1f2daf9e7d8d93e287fe127984127f30

                                                                        SHA1

                                                                        86c3d8250f6dd83c65dd51c619863aeb08941888

                                                                        SHA256

                                                                        0ae6813b8baac9eac66794651b9e04f610700a30f9413114a58c99154d582d6e

                                                                        SHA512

                                                                        8d0643bf25737cffbbbc83fd4ae1e269d62be539ceef4cc6636a25cc5dbab2e6033b5a6db17c0fe22cdd9835723bbdd82ed176f34ff326d652c3858dd53ada3a

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\78ccd299-a5ce-48ae-a9ef-6f9b0a3778cb.tmp
                                                                        Filesize

                                                                        1B

                                                                        MD5

                                                                        5058f1af8388633f609cadb75a75dc9d

                                                                        SHA1

                                                                        3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                        SHA256

                                                                        cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                        SHA512

                                                                        0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                        Download Submit

                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp5E8.tmp
                                                                        Filesize

                                                                        1KB

                                                                        MD5

                                                                        0289b5b737a73bca0c231e0e6dcd41cd

                                                                        SHA1

                                                                        9c109b587a5a17753477499eacb713f9d3cd2324

                                                                        SHA256

                                                                        d770045c747254759ca9fdea8e68c2259479bb4117135c279d202a52d192b90a

                                                                        SHA512

                                                                        a7fb30401638f459102cfc2c40970a17b8c367d6ae3dbe9b79380810a88cc9cb4d4b08e624c28218271763c251abee4544078ce4f37236f8db4c9c6b10109160

                                                                        Download Submit

                                                                      • C:\Users\Admin\Desktop\nn.exe
                                                                        Filesize

                                                                        45KB

                                                                        MD5

                                                                        0de0c7f77b1d4bfb4b0d10f80b60b353

                                                                        SHA1

                                                                        ae26ba4ddecc754f3b6f05f94453c49466d4b7f7

                                                                        SHA256

                                                                        d325b941c5f7513313eda391ee1dc1668f7c26b5239bf8499868484c1f8921a0

                                                                        SHA512

                                                                        0d28a56a3bef672e094af732ba7fe8d7e282a0c38467c5f4495a5ba73fda83f7137075dd89813ef1b2162409f0296c6e70b206b94d4154d98a12a927a3d69a40

                                                                        Download Submit

                                                                      • C:\Users\Admin\Downloads\hehe.exe
                                                                        Filesize

                                                                        45KB

                                                                        MD5

                                                                        84e0f6898a1565d1582bd9eb014b9194

                                                                        SHA1

                                                                        022cc81e7dcfacca7f055a916fa49388219cb861

                                                                        SHA256

                                                                        7d846b761a1400e8d31ab056b0e5e5c6a3ed3ee2ed42c498cb653a9395e80f33

                                                                        SHA512

                                                                        602f4251c02c59a83b500f1bd9226bc3723340a69ba24394657f6586d3190b55162b188f05981963b852956367dd9cf3dc247f539fe78d63b4f6d01a31e9f0b4

                                                                        Download Submit

                                                                      • memory/3864-477-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/3864-524-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4040-432-0x0000000005140000-0x0000000005150000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                        Download

                                                                      • memory/4040-431-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4040-398-0x0000000005140000-0x0000000005150000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                        Download

                                                                      • memory/4040-397-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4056-0-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4056-20-0x0000000007940000-0x000000000795A000-memory.dmp

                                                                        Filesize

                                                                        104KB

                                                                        Download

                                                                      • memory/4056-9-0x0000000004D40000-0x0000000004D50000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                        Download

                                                                      • memory/4056-8-0x00000000078E0000-0x00000000078F2000-memory.dmp

                                                                        Filesize

                                                                        72KB

                                                                        Download

                                                                      • memory/4056-14-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4056-11-0x000000000A1D0000-0x000000000A282000-memory.dmp

                                                                        Filesize

                                                                        712KB

                                                                        Download

                                                                      • memory/4056-7-0x0000000005350000-0x000000000536A000-memory.dmp

                                                                        Filesize

                                                                        104KB

                                                                        Download

                                                                      • memory/4056-12-0x000000000A890000-0x000000000ABE4000-memory.dmp

                                                                        Filesize

                                                                        3.3MB

                                                                        Download

                                                                      • memory/4056-6-0x00000000050C0000-0x00000000050D4000-memory.dmp

                                                                        Filesize

                                                                        80KB

                                                                        Download

                                                                      • memory/4056-10-0x00000000097E0000-0x0000000009802000-memory.dmp

                                                                        Filesize

                                                                        136KB

                                                                        Download

                                                                      • memory/4056-5-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

                                                                        Filesize

                                                                        40KB

                                                                        Download

                                                                      • memory/4056-4-0x0000000004D40000-0x0000000004D50000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                        Download

                                                                      • memory/4056-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

                                                                        Filesize

                                                                        584KB

                                                                        Download

                                                                      • memory/4056-2-0x0000000005370000-0x0000000005914000-memory.dmp

                                                                        Filesize

                                                                        5.6MB

                                                                        Download

                                                                      • memory/4056-1-0x00000000001C0000-0x00000000003C2000-memory.dmp

                                                                        Filesize

                                                                        2.0MB

                                                                        Download

                                                                      • memory/4056-19-0x00000000088D0000-0x00000000089F4000-memory.dmp

                                                                        Filesize

                                                                        1.1MB

                                                                        Download

                                                                      • memory/4056-17-0x0000000004D40000-0x0000000004D50000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                        Download

                                                                      • memory/4056-15-0x0000000004D40000-0x0000000004D50000-memory.dmp

                                                                        Filesize

                                                                        64KB

                                                                        Download

                                                                      • memory/4156-382-0x0000000000280000-0x0000000000292000-memory.dmp

                                                                        Filesize

                                                                        72KB

                                                                        Download

                                                                      • memory/4156-399-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4156-383-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4608-462-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4608-476-0x0000000074D90000-0x0000000075540000-memory.dmp

                                                                        Filesize

                                                                        7.7MB

                                                                        Download

                                                                      • memory/4608-461-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

                                                                        Filesize

                                                                        72KB

                                                                        Download

                                                                      • memory/4988-503-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-502-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-508-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-510-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-512-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-511-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-513-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-509-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-507-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download

                                                                      • memory/4988-501-0x0000023E682B0000-0x0000023E682B1000-memory.dmp

                                                                        Filesize

                                                                        4KB

                                                                        Download