bitrat | hxxp://Scan vps

Analysis

max time kernel
1800s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
21-07-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Scan vps

Score

10^/10

bitrat neshta discovery evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

158.58.168.61:1337

Attributes

communication_password
2fdbb4b27758a54f27d8f8cbb485787b
install_dir
system32
install_file
Windows Update.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect Neshta payload 32 IoCs

resource	yara_rule
behavioral1/files/0x00070000000278aa-588.dat	family_neshta
behavioral1/memory/1516-694-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000002ac3c-695.dat	family_neshta
behavioral1/files/0x00070000000278b9-739.dat	family_neshta
behavioral1/files/0x0005000000027995-738.dat	family_neshta
behavioral1/files/0x000200000002791b-737.dat	family_neshta
behavioral1/files/0x00050000000279d4-736.dat	family_neshta
behavioral1/files/0x0002000000027933-735.dat	family_neshta
behavioral1/files/0x00050000000279c2-734.dat	family_neshta
behavioral1/files/0x0002000000027920-733.dat	family_neshta
behavioral1/files/0x00020000000278b1-732.dat	family_neshta
behavioral1/files/0x00050000000279c1-731.dat	family_neshta
behavioral1/files/0x000700000002789e-730.dat	family_neshta
behavioral1/files/0x00070000000278a2-728.dat	family_neshta
behavioral1/files/0x000800000002790a-727.dat	family_neshta
behavioral1/files/0x00050000000279cf-726.dat	family_neshta
behavioral1/files/0x00070000000278c1-746.dat	family_neshta
behavioral1/files/0x0001000000028b68-753.dat	family_neshta
behavioral1/files/0x000100000002a57d-755.dat	family_neshta
behavioral1/files/0x000100000002a57c-754.dat	family_neshta
behavioral1/files/0x0001000000028b67-752.dat	family_neshta
behavioral1/files/0x0001000000028b66-751.dat	family_neshta
behavioral1/files/0x0001000000029c56-750.dat	family_neshta
behavioral1/files/0x0001000000028bbc-749.dat	family_neshta
behavioral1/files/0x0003000000027999-748.dat	family_neshta
behavioral1/files/0x00090000000278c3-747.dat	family_neshta
behavioral1/memory/1516-772-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3972-774-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1516-776-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4648-777-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2108-780-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3236-795-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Contacts a large (10300) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NLBrute.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\npf.sys	winpcap-4.3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NLBrute.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NLBrute.exe

Executes dropped EXE 8 IoCs

pid	Process
5028	keygen[pc-ret].exe
2108	svchost.com
4648	svchost.com
3972	svchost.com
5036	WINDOW~1.EXE
1536	svchost.exe
3236	svchost.com
2436	NLBrute.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine	NLBrute.exe

Loads dropped DLL 9 IoCs

pid	Process
5032	winpcap-4.3.exe
5032	winpcap-4.3.exe
5032	winpcap-4.3.exe
5032	winpcap-4.3.exe
5032	winpcap-4.3.exe
5032	winpcap-4.3.exe
5032	winpcap-4.3.exe
5032	winpcap-4.3.exe
5032	winpcap-4.3.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	keygen[pc-ret].exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002ac3e-705.dat	upx
behavioral1/memory/5036-773-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-781-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-784-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-785-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-796-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-798-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-801-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-803-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-805-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-808-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-810-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-812-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-817-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-819-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-821-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-824-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-826-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-830-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-832-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-836-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-838-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-849-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-851-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-855-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-857-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-864-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5036-867-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\system32\\Windows Update.exe"	WINDOW~1.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pthreadVC.dll	winpcap-4.3.exe
File created	C:\Windows\SysWOW64\wpcap.dll	winpcap-4.3.exe
File created	C:\Windows\SysWOW64\Packet.dll	winpcap-4.3.exe
File created	C:\Windows\system32\wpcap.dll	winpcap-4.3.exe
File created	C:\Windows\system32\Packet.dll	winpcap-4.3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
5028	keygen[pc-ret].exe
5036	WINDOW~1.EXE
5036	WINDOW~1.EXE
5036	WINDOW~1.EXE
5036	WINDOW~1.EXE
2436	NLBrute.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File created	C:\Program Files\WinPcap\LICENSE	winpcap-4.3.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	keygen[pc-ret].exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	keygen[pc-ret].exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	keygen[pc-ret].exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000004000000030000000200000000000000ffffffff	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	NLBrute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NLBrute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	keygen[pc-ret].exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 = 5e00310000000000f558234210004e4c425255547e320000460009000400efbef558753ff55823422e000000adab020000000100000000000000000000000000000086658e004e004c0020004200720075007400650020003200000018000000	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "8"	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings	Massscan_GUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NLBrute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = ffffffff	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	NLBrute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NLBrute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NLBrute.exe
Key created	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NLBrute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NLBrute.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	NLBrute.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ScanVPS(3).zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local:21-07-2024	WINDOW~1.EXE
File opened for modification	C:\Users\Admin\AppData\Local:21-07-2024	WINDOW~1.EXE

Opens file in notepad (likely ransom note) 7 IoCs

ransomware

pid	Process
1984	NOTEPAD.EXE
3228	NOTEPAD.EXE
4636	NOTEPAD.EXE
1008	NOTEPAD.EXE
1384	NOTEPAD.EXE
3216	NOTEPAD.EXE
3088	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
2840	msedge.exe
2840	msedge.exe
3876	identity_helper.exe
3876	identity_helper.exe
1404	msedge.exe
1404	msedge.exe
3644	msedge.exe
3644	msedge.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
5028	keygen[pc-ret].exe
5028	keygen[pc-ret].exe
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2436	NLBrute.exe

Suspicious behavior: LoadsDriver 49 IoCs

pid	Process
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	576	AUDIODG.EXE
Token: SeDebugPrivilege	1228	Massscan_GUI.exe
Token: SeShutdownPrivilege	5036	WINDOW~1.EXE
Token: 33	2540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2540	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
2436	NLBrute.exe
2436	NLBrute.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
1228	Massscan_GUI.exe
2436	NLBrute.exe
2436	NLBrute.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
5032	winpcap-4.3.exe
4500	MiniSearchHost.exe
1536	svchost.exe
5036	WINDOW~1.EXE
5036	WINDOW~1.EXE
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe
2436	NLBrute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2528	2840	msedge.exe	81
PID 2840 wrote to memory of 2528	2840	msedge.exe	81
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 396	2840	msedge.exe	82
PID 2840 wrote to memory of 1084	2840	msedge.exe	83
PID 2840 wrote to memory of 1084	2840	msedge.exe	83
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84
PID 2840 wrote to memory of 2780	2840	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Scan vps
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fffe9273cb8,0x7fffe9273cc8,0x7fffe9273cd8
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4280 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,3364231626097767297,9499716435003874871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:1404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:132

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\password.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\user.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1008

C:\Users\Admin\Desktop\MassScan\winpcap-4.3.exe
"C:\Users\Admin\Desktop\MassScan\winpcap-4.3.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5032
- C:\Windows\SysWOW64\net.exe
  net stop npf
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop npf
    3⤵
    PID:3768
- C:\Windows\SysWOW64\net.exe
  net start npf
  2⤵
  PID:5036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start npf
    3⤵
    PID:5116

C:\Users\Admin\Desktop\MassScan\Massscan_GUI.exe
"C:\Users\Admin\Desktop\MassScan\Massscan_GUI.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1228
- C:\Users\Admin\Desktop\MassScan\masscan.exe
  "C:\Users\Admin\Desktop\MassScan\masscan.exe" -iL Input.txt -oL Output.txt --open --rate 1000000 -p3389 --exclude 255.255.255.255 --open-only --SendQ
  2⤵
  PID:4628
- C:\Users\Admin\Desktop\MassScan\masscan.exe
  "C:\Users\Admin\Desktop\MassScan\masscan.exe" -iL Input.txt -oL Output.txt --open --rate 1000000 -p3389 --exclude 255.255.255.255 --open-only --SendQ
  2⤵
  PID:1680
- C:\Users\Admin\Desktop\MassScan\masscan.exe
  "C:\Users\Admin\Desktop\MassScan\masscan.exe" -iL Input.txt -oL Output.txt --open --rate 1000000 -p3389 --exclude 255.255.255.255 --open-only --SendQ
  2⤵
  PID:1740
- C:\Users\Admin\Desktop\MassScan\masscan.exe
  "C:\Users\Admin\Desktop\MassScan\masscan.exe" -iL Input.txt -oL Output.txt --open --rate 1000000 -p3389 --exclude 255.255.255.255 --open-only --SendQ
  2⤵
  PID:2856
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MassScan\IPs.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1384
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MassScan\IPs.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3216
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MassScan\IPs.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4968

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MassScan\IPs.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1984

C:\Users\Admin\Desktop\NL Brute\keygen[pc-ret].exe
"C:\Users\Admin\Desktop\NL Brute\keygen[pc-ret].exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1516
- C:\Users\Admin\AppData\Local\Temp\3582-490\keygen[pc-ret].exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\keygen[pc-ret].exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5028

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\NLBRUT~1\svchost.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2108
- C:\Users\Admin\Desktop\NLBRUT~1\svchost.exe
  C:\Users\Admin\Desktop\NLBRUT~1\svchost.exe
  2⤵
  - Modifies registry class
  PID:2244
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4648
  - - C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
      C:\Users\Admin\AppData\Roaming\WINDOW~1.EXE
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5036
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1536

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\Desktop\NLBRUT~2\NLBrute.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3236
- C:\Users\Admin\Desktop\NLBRUT~2\NLBrute.exe
  C:\Users\Admin\Desktop\NLBRUT~2\NLBrute.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2436

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\user.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
d47ed8961782d9e27f359447fa86c266

SHA1
d37d3f962c8d302b18ec468b4abe94f792f72a3b

SHA256
b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a

SHA512
3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

Filesize
335KB

MD5
e4351f1658eab89bbd70beb15598cf1c

SHA1
e18fbfaee18211fd9e58461145306f9bc4f459ea

SHA256
4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb

SHA512
57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

Download Submit
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

Filesize
433KB

MD5
674eddc440664b8b854bc397e67ee338

SHA1
af9d74243ee3ea5f88638172f592ed89bbbd7e0d

SHA256
20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457

SHA512
5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4656c526f71d2c1122865ef7c6af3ff5

SHA1
61684265064c225f323d304931ff7764f5700ac2

SHA256
7172417b8464d5c2f52edfc867f4d83e475b58fd316b1916cdde30ed5bdde80e

SHA512
c3e4fc0baa216ef561a448e42378af01a50e0ebd9b5fe554c9af0ea3362b9ca2f4a1b99cfab66c18df085250dd7a5ca1b01ab256e28156d657c579f5518aa56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc5eae38782879246edf98418132e890

SHA1
46aa7cc473f743c270ed2dc21841ddc6fc468c30

SHA256
b9dd7185c7678a25210a40f5a8cac3d048f7774042d93380bbbd1abb94d810d7

SHA512
73680b22df232f30faa64f485a4c2f340ba236b5918915866f84053f06532b0a722c4ee8038af3689ac04db41277c7852f7a11a0a15833ef66bcc046ee28afb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
0551f71f7d394c3c6181c876ac23ae77

SHA1
59e9be2e69b5d4150c94135d1e4ccada20321619

SHA256
1f699e17286633b4f84792c929dd0f90541fc69a4c2cb1db734cd916cc7d4a5d

SHA512
0efd1cc00c3a874b100b3e71754e011438a36be8beaa9219ce1c07c16bc86f6168ac9490765b8f09d3fafe23b47ccb1474531f21741a3790212dc4f52760fcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9a1b34caa239750a50d2797c0bd52386

SHA1
d89f17696f0f03f2a3176a1a566970fbe6aa8274

SHA256
73fd5883abbe1925b1a8030983ce8139e425503c31887cd32d248ee505abad45

SHA512
a22fbe25e34523241cf26eb156666e3f58213f02284ba51ad89a9799ae26658b990e42828e69e1ec9ea77032158214dabb859fa84abd758994797823ad96c528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4cbc806f2c908791dbcb174c7d7438e0

SHA1
b7ebe1dd2846187db4b99ee171cc1d53bdbff2f1

SHA256
2f88950e1e877f6ee38f40b85fdc626546d4b2803442f983e78f877a0ed3bc51

SHA512
133a8e800b36855dc8a0971091bfe61b356f6fa3927903035ddb1768fb26645c67dc2845accb9709e872d519c1ab634413cfcaa8255249f862fbbbb3439bbfc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa77d46233e5efe3e826d50bd7fd84e4

SHA1
22faeb96c47ec8d24f50835461e711789002e66c

SHA256
fd774668b63f409849d6b4c01ef26e202327d39f3a3a7960da646fd7154896da

SHA512
9e91bbbe04f667174f216246d57a1586ea3b2e58a08375915ec33199d4184081fbd118ce2003f81e905691c341a373b1f5b5503f5bb5d22ef2be7bd72ce315a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
522e12d0794b2a26ced9e50552c6a7d9

SHA1
b3dd06ea1e588d44ae4348d892fc395ce6a4f209

SHA256
ac71a8e1a8e54beebf057d229ddd93389966198cbda2fb06c7164952abab785b

SHA512
4d96231428c28c1d658c450e18c0205800dad5ca6c2a89ea8e7eba6a26dd4260b54dd69e4387564e05aeef9b3923df7d648fb5c70645c4406363ea249670c639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
98b3be3d361fa16f162189e48476a353

SHA1
fc69108f6e7c8b1c27a7fef10eaa8e8dc01e376a

SHA256
8270995c0b6434e92fe3a25eabad6186381e1cedda53669976d69a05dbe3fbbf

SHA512
8b55cfb63e179a94023e87fd84750544219333bee6d992704498bac6e6679e61e7ccf23efa9d90ca6cd01221cdcdc12111b06d41f58c6b1f86ff778dff8a1dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
02783f979d92f46384c75852e37a4b69

SHA1
02010a11a930c476513607659fe64007c39804fb

SHA256
c905ed2794724460d59c3ef83156f017d4327408e98ed4e5edcc46e763a93b43

SHA512
be75bfebc0093a899bce5a0bbe3d370847ae8f2f22e245ef7bac4151ceb15de4218e97e8510d122a416d6ce2f86d72fea1af625f69852024a7835b01642f7770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587644.TMP

Filesize
48B

MD5
ca8a96337ae51a67529559cc457842fe

SHA1
9da634462e511b5e63bf062641437b40bbf9d463

SHA256
ccc99ecfdbae1644a42621d63831f02bd2e404d52df88d8abc630a5f25e7851b

SHA512
a1bb526fa2abb3278b904b802ac4f21fb08b7331f3891039a822d6400c3c36404ef1b5a4ff9762bd27e3f5a1e8a94862ef9d32992d9d9b493c46288974d77f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b715cabea21ee4658db30f0d57aca529

SHA1
10396fcd526ed4d0ec1d1f43ed1c32138ed428a2

SHA256
24fdf49cf3cbffd6a9927a789d32dc08941e8bb7f734b8b71747727ef99e9f15

SHA512
694077cb465f6df9869f025772b59ad0a8820dab623cb6290680974f8aa7eb977a4e6f089f4c54be3b52ca07a1c268babd72bbe3963f34308e278897751be411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26b3fbbcec5c2e2f2cb2153636694a86

SHA1
1ab12c66ce4105b74f3fee65fda32fb929b28e48

SHA256
23a62b48496f18df51772b222ff77338b9c336b63344ef2465464a26c2466f52

SHA512
10e572b4732152a070b0cd3066062ec44ee780aeac2a0ce1f677207a9421bc45fbb06df67d285e75dbbaae1fa11010f73f3ef679202a6728c146b47a21f814b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
fa818effcde20598c3b9ec9eebc345dc

SHA1
a26401fd9c0b51b32e036e18f3b6ae3a14240227

SHA256
065e354a76c8f6f6db86558fe1376dd6bd479104bd75f95b4022b2be16fc69ec

SHA512
df9686a22117e1f1c8fdcc29526fe7301323a37afcd67dd83d3183546bf02849cade68f5af8eef59f415f00076d890b1f5055b94ea96ce395d416499644d0943

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\keygen[pc-ret].exe

Filesize
2.5MB

MD5
62b039b2af7bf5f6abf35ef903024300

SHA1
4ae220e451482e839619c2e927752468e0eda8d5

SHA256
83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5

SHA512
8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6BBD.tmp\InstallOptions.dll

Filesize
14KB

MD5
79327201915b7cf3ba0c5d1a143aa925

SHA1
185b6f5520b1c39d3e7d9d91ed099698fac46d92

SHA256
1edf8dc7b6ef67e7cf68f6b07f38be5b336b5e6b2d1d5500cdb3e121b8381394

SHA512
c51086b7e039c83abb727a33b7f1ccac4fa999373b0423ac4b253e87195a5515d29e98ea2ed64f30406a14db4bf94422d34e6c9db8fc80be5c4e3fc77fd0207e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6BBD.tmp\System.dll

Filesize
10KB

MD5
5c22bbf6730572e50eed4108af6081df

SHA1
8a13196f4d47ee7de2e35509058db954db10c72a

SHA256
3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec

SHA512
264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6BBD.tmp\final.ini

Filesize
285B

MD5
cd43aca49767e07f6200c75b31fac7d0

SHA1
2f9d9482cfcd587d4c09f5db4dbe043418ac06ce

SHA256
e7136b3c370b14cc546e71d28eddf25d5cf9d883c49db7cc38260c19d5887f20

SHA512
8ff3cdeeed30d61756189ad27be4ed7da856fc12f84cc0c3e724e56efb28d6a62bb354879a008dd4ad89d5180dc919c69531ce00c4f78c9fd2de7f78e3926a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6BBD.tmp\nsExec.dll

Filesize
6KB

MD5
6d376db8c870c88759ab0fac0f91bde4

SHA1
c1df9264442c84858735550af99c1af55204dc31

SHA256
7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

SHA512
ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6BBD.tmp\options.ini

Filesize
293B

MD5
55b42f58d24f166f108a942a60edc286

SHA1
b3657780384505952be7191bf686d040ba7e5dc2

SHA256
ee766b6c3b30018ee099a01331d42e9130f95a0136af3c7c9ac148f450188f1a

SHA512
5fc6ef31f55405583572a2ca7aba7b66abc1cd461b408855bc379d157020608a75ca0a773bd3f41643b20f0fb34375598a2cc534c892f9ce351a1960dacc5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6BBD.tmp\options.ini

Filesize
328B

MD5
341180530bb3d9155d47894b61a40c1f

SHA1
95e1a45b3398adfd7fc767a71590a866cedab500

SHA256
566a75e264c1aa6f3d990571b27ffb71eae54d2a974bd4c100c64bc22586a943

SHA512
94d6373ce0300d91fb26a1e0dd5f7b238de23ac6a30c5d7b0b3166f42ddfe995cc77ecb31900f0bff5dd83ddf208a8d572bebc46878e91e55b3fab510a6123d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
10.5MB

MD5
6aeae5adb9e002026960800ad600e0a5

SHA1
89fb810ad66dc2cfd13b3f9fa9cb7a72da0ba096

SHA256
2fac1258e3f5755a6b63ffa1715ce3645b8ee7d5c224947e5f5fb144a57cb188

SHA512
6a21fb5ceff4ed3cba32f65d39b54ac7a8b1b3f68ed24e04ef4dc5cccbcb3f8892579378ec095d40514818d553de5f52e2d365f51f82befbca020d8b7bd9713f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe

Filesize
1.4MB

MD5
b37ec293e5bcb580d448da4965dffd54

SHA1
47b36a89cab289178f6d2ffd123ac0ca8431f0e8

SHA256
29556061e8bf4bc3805e4b52abae0b12b7ca445a5b792d3daa19bcf30aa3966e

SHA512
3358f3b8f1b42aa680075af9388906f0e93cb1cd4cc5ab15a9a07df61a1604e2e53d2acf3212c53613debf156e5d21680e7ba0ad52237006c29f877b04a23371

Download Submit
C:\Users\Admin\Desktop\MassScan\IPs.txt

Filesize
178KB

MD5
d2187aa06d7f7818e1adb2f0e4ccce91

SHA1
e1954c44cd9c05b430f91cf2b3f5f0922202d111

SHA256
a8bc83e330c0cdc81691d5cc5f2d7d1c4bfbf86929c79fd62adcaa31d233757f

SHA512
e160defcdab4c717cb23ecadbb4004d9bfe1a664f636a8e46e3b6d29bd16962e4e3995c927cae2027e36c179330bc4b4cb48496ced24c80e2fb4d9c20d11b873

Download Submit
C:\Users\Admin\Desktop\MassScan\Input.txt

Filesize
167KB

MD5
1ea74df81b2590addd419440e3705502

SHA1
aa901512e75aca8500962fe1d8c8dc294c606c6c

SHA256
f535fe9b931c66c63a6b4923de9c83a8eb610afb55914cfa8b6f9fba139e0e82

SHA512
2c9ef263c21e1f455b8d59e9399a5d6f56a57f7c465510e91c136a16887a6224e2dbf6ef114e6605d32584844b0a298e9481d9c7f9312d45cd41206df3aeee9b

Download Submit
C:\Users\Admin\Desktop\NL Brute 2\servers.txt

Filesize
220KB

MD5
eb0ca321580ce497cad8f44cc4a67237

SHA1
2b4be721202effe849eba6e2025f949103976e43

SHA256
072434f0c9aae28dcad6d485cf4c16a7ddb75e8c8385d5aacc40abd86da7cc6c

SHA512
7a1d40b3b7dcbcd484abea7a226994bde874006d8edd10d67266c09ff03822c374cb63641987f79b40b94ca064a896a8d3124827f7819133b6b701e361f27566

Download Submit
C:\Users\Admin\Desktop\NL Brute 2\settings.ini

Filesize
140B

MD5
5731324ced3cd1eec85476bacae9bed3

SHA1
112c8dc3e5877657b84f539ccddb923527219104

SHA256
a240d0cb2074d5dc8bfd0bb12bd02e2dbee2903e2f32ddd24c89e06249a5fc0c

SHA512
ea2b846a70c441fc1ff19ef0cdcce4812a6d0ccbee9e329dbf3cb74ed7c8e7e87f9b0c85c0d0abc8632bca5c9f2506eb51a8e871d42c14660f7e8ef6919668ed

Download Submit
C:\Users\Admin\Desktop\NL Brute 2\settings.ini

Filesize
141B

MD5
79f6ba71d166e41712251f0d5bc2162c

SHA1
2bde3d4bdb3debca097afdcc513a6f50d971ca97

SHA256
db3dd327d27068666ced33d93460cb13c50cb152e89144be1c6e532ec6617743

SHA512
5eb4cccda0fcf13b4cea637e759a6d22f1f0c52889008f85220b5d9a4d9888fa5b2e41f5693e0d4dd16040e711b2e881cb672470dcdea9a6cc8c1865102cda5b

Download Submit
C:\Users\Admin\Downloads\ScanVPS(3).zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
b79ed54e73ab007f63d12c58c95d5f28

SHA1
d70454403147b914fe214aba50e21821571020e9

SHA256
7a6a84f20ec92e9cd2b61c312fd2815ec97e8c931c8eddebaa91639f25511362

SHA512
1d71a917650ffb93093cbd707bcda35efd20fa2114adbee75ffd8d1f12b140aa11b4b524748ead6712d48674da314b4bded8d483f938fdcec62e00af1c6150be

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
38b3a65d71c8929f89ecdc06cd80aa7a

SHA1
b31a9afcda8a708c7a94387e68b23858b2746464

SHA256
2213bf978e4b5da4423afe58494f226af48147dc3f4ac3229c17e7db5ab14157

SHA512
4dd639eaf9cefe990943c877ba0492d71f42196d81b9157e6d388fedef3ef8bb7234ab34f751174685686186a301cffc32e943fd51b92f049379cc512a78ec3c

Download Submit
C:\Windows\directx.sys

Filesize
92B

MD5
ead19e75b8604661fb9df19b209906b8

SHA1
74510de5bbd772ed236441067712a36ccaeaaa0d

SHA256
f94252dfe663a7b35ce930e922329d155f75e8e4ceba0990160c490ff41755d5

SHA512
33e3ce21a08a9b38c273983561714b7c0f47fc5bd1bcc886cbd0898d3e1df6cd4f8d9bf4bd46646154cbc6f645845eb18003c58718407aef5efed18c735ed163

Download Submit
C:\Windows\directx.sys

Filesize
45B

MD5
d4926bdaf9ceedca2aaff2ea01490e56

SHA1
f04bc90c2ded8178de6fb65c70573f65112025da

SHA256
29919bb6042ca6de30a4f82cc938cd27bdbdc8a82195d59d87e51e8db3aa89b9

SHA512
63f099fd892ec985171463a154644dd7221b9c4239d186c130d1dd3a9e2003704424d993a00924eeec12b7969087fc1d57c855acb42ca265ee80e69ffc9e1128

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/1228-551-0x00000000055B0000-0x0000000005606000-memory.dmp

Filesize
344KB

Download
memory/1228-550-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/1228-549-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/1228-548-0x0000000005970000-0x0000000005F16000-memory.dmp

Filesize
5.6MB

Download
memory/1228-547-0x00000000052E0000-0x000000000537C000-memory.dmp

Filesize
624KB

Download
memory/1228-546-0x0000000000910000-0x000000000096A000-memory.dmp

Filesize
360KB

Download
memory/1516-776-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1516-772-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1516-694-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-556-0x00000000018D0000-0x00000000018E8000-memory.dmp

Filesize
96KB

Download
memory/1740-560-0x0000000000DD0000-0x0000000000DE8000-memory.dmp

Filesize
96KB

Download
memory/2108-780-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2244-700-0x0000000000400000-0x00000000015F4000-memory.dmp

Filesize
18.0MB

Download
memory/2436-818-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-806-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-816-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-820-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-813-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-822-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-865-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-863-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-811-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-794-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-825-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-856-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-797-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-853-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-850-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-800-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-842-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-802-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-837-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-804-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-833-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-831-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-809-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2436-828-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2856-562-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/3236-795-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-774-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4628-553-0x0000000000B90000-0x0000000000BA8000-memory.dmp

Filesize
96KB

Download
memory/4648-777-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5028-693-0x0000000000400000-0x0000000001B3C000-memory.dmp

Filesize
23.2MB

Download
memory/5028-584-0x0000000000400000-0x0000000001B3C000-memory.dmp

Filesize
23.2MB

Download
memory/5036-783-0x00000000749D0000-0x0000000074A0C000-memory.dmp

Filesize
240KB

Download
memory/5036-817-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-819-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-815-0x0000000073040000-0x000000007307C000-memory.dmp

Filesize
240KB

Download
memory/5036-821-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-812-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-823-0x00000000724E0000-0x000000007251C000-memory.dmp

Filesize
240KB

Download
memory/5036-824-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-810-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-826-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-827-0x0000000074BB0000-0x0000000074BEC000-memory.dmp

Filesize
240KB

Download
memory/5036-829-0x00000000749D0000-0x0000000074A0C000-memory.dmp

Filesize
240KB

Download
memory/5036-808-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-830-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-807-0x0000000073B80000-0x0000000073BBC000-memory.dmp

Filesize
240KB

Download
memory/5036-832-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-834-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-805-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-835-0x00000000749D0000-0x0000000074A0C000-memory.dmp

Filesize
240KB

Download
memory/5036-836-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-803-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-838-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-801-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-849-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-799-0x0000000073B80000-0x0000000073BBC000-memory.dmp

Filesize
240KB

Download
memory/5036-852-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-851-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-854-0x0000000073B80000-0x0000000073BBC000-memory.dmp

Filesize
240KB

Download
memory/5036-798-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-855-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-796-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-857-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-785-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-864-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-784-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-866-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-867-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-868-0x0000000073B80000-0x0000000073BBC000-memory.dmp

Filesize
240KB

Download
memory/5036-875-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-877-0x0000000073040000-0x000000007307C000-memory.dmp

Filesize
240KB

Download
memory/5036-889-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-890-0x00000000724E0000-0x000000007251C000-memory.dmp

Filesize
240KB

Download
memory/5036-902-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-903-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-922-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-781-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-942-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-778-0x0000000074BB0000-0x0000000074BEC000-memory.dmp

Filesize
240KB

Download
memory/5036-954-0x0000000072390000-0x00000000723CC000-memory.dmp

Filesize
240KB

Download
memory/5036-964-0x00000000723D0000-0x000000007240C000-memory.dmp

Filesize
240KB

Download
memory/5036-965-0x0000000072390000-0x00000000723CC000-memory.dmp

Filesize
240KB

Download
memory/5036-773-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5036-1004-0x0000000072390000-0x00000000723CC000-memory.dmp

Filesize
240KB

Download
memory/5036-1013-0x0000000072390000-0x00000000723CC000-memory.dmp

Filesize
240KB

Download
memory/5036-1025-0x0000000072390000-0x00000000723CC000-memory.dmp

Filesize
240KB

Download