Overview

overview

10

Static

static

3

4363463463...63.exe

windows11-21h2-x64

10

New Text D...od.exe

windows11-21h2-x64

New Text D...od.exe

windows11-21h2-x64

Analysis

  • max time kernel
    102s
  • max time network
    115s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-11-2024 00:39

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    New Text Document mod.exe

  • Size

    8KB

  • MD5

    69994ff2f00eeca9335ccd502198e05b

  • SHA1

    b13a15a5bea65b711b835ce8eccd2a699a99cead

  • SHA256

    2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

  • SHA512

    ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

  • SSDEEP

    96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score
10/10
asyncratmercurialgrabberumbralxmrigdefaultcollectioncredential_accessdiscoveryevasionexecutionminerratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes
  • delay

    1

  • install

    true

  • install_file

    atat.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes
  • delay

    3

  • install

    true

  • install_file

    System32.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Umbral payload 2 IoCs
  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Async RAT payload 5 IoCs
    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 1 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 5 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 31 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3272
      • C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
        "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4652
        • C:\Users\Admin\AppData\Local\Temp\a\output.exe
          "C:\Users\Admin\AppData\Local\Temp\a\output.exe"
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
        • C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
          "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Windows\SYSTEM32\attrib.exe
            "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
            4⤵
            • Views/modifies file attributes
            PID:1816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\saloader.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4396
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4132
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:3788
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Command and Scripting Interpreter: PowerShell
              PID:436
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:4624
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe" && pause
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:4844
              • C:\Windows\system32\PING.EXE
                ping localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5000
          • C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
            "C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
              4⤵
                PID:3568
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
                  5⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3676
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF647.tmp.bat""
                4⤵
                  PID:3712
                  • C:\Windows\system32\timeout.exe
                    timeout 3
                    5⤵
                    • Delays execution with timeout.exe
                    PID:1204
                  • C:\Users\Admin\AppData\Roaming\windows.exe
                    "C:\Users\Admin\AppData\Roaming\windows.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:4472
              • C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
                "C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe"
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4808
              • C:\Users\Admin\AppData\Local\Temp\a\xs.exe
                "C:\Users\Admin\AppData\Local\Temp\a\xs.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3184
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:872
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'
                    5⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4868
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpED3E.tmp.bat""
                  4⤵
                    PID:4848
                    • C:\Windows\system32\timeout.exe
                      timeout 3
                      5⤵
                      • Delays execution with timeout.exe
                      PID:1860
                    • C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe
                      "C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"
                      5⤵
                      • Executes dropped EXE
                      PID:1148
                • C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2212
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:284
                • C:\Users\Admin\AppData\Local\Temp\a\aa.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\aa.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3148
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2180
                    • C:\Windows\system32\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
                      5⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2788
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpECE0.tmp.bat""
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1736
                    • C:\Windows\system32\timeout.exe
                      timeout 3
                      5⤵
                      • Delays execution with timeout.exe
                      PID:2476
                    • C:\Users\Admin\AppData\Roaming\atat.exe
                      "C:\Users\Admin\AppData\Roaming\atat.exe"
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:4640
                • C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\nobody.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:3508
                • C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:1940
                • C:\Users\Admin\AppData\Local\Temp\a\start.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\start.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3344
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1028
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1512
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF5AA.tmp.bat""
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:3420
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 3
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:4492
                    • C:\Users\Admin\AppData\Roaming\System32.exe
                      "C:\Users\Admin\AppData\Roaming\System32.exe"
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2272
                • C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
                  "C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe"
                  3⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Drops startup file
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:1900
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                    4⤵
                      PID:2104
                  • C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
                    "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
                    3⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    PID:2504
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                      4⤵
                      • Uses browser remote debugging
                      • Drops file in Windows directory
                      • Enumerates system info in registry
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of FindShellTrayWindow
                      PID:3104
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8dc2cc40,0x7ffb8dc2cc4c,0x7ffb8dc2cc58
                        5⤵
                          PID:4484
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,15646660297831843298,13848104224857333037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
                          5⤵
                            PID:1460
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1732,i,15646660297831843298,13848104224857333037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
                            5⤵
                              PID:2348
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,15646660297831843298,13848104224857333037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2400 /prefetch:8
                              5⤵
                                PID:3168
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,15646660297831843298,13848104224857333037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
                                5⤵
                                • Uses browser remote debugging
                                PID:1820
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,15646660297831843298,13848104224857333037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
                                5⤵
                                • Uses browser remote debugging
                                PID:2968
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,15646660297831843298,13848104224857333037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4436 /prefetch:1
                                5⤵
                                • Uses browser remote debugging
                                PID:1168
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4216,i,15646660297831843298,13848104224857333037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:8
                                5⤵
                                  PID:3568
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                4⤵
                                • Uses browser remote debugging
                                • Enumerates system info in registry
                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                • Suspicious use of FindShellTrayWindow
                                PID:6528
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb7b693cb8,0x7ffb7b693cc8,0x7ffb7b693cd8
                                  5⤵
                                    PID:6796
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
                                    5⤵
                                      PID:5340
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:3
                                      5⤵
                                        PID:3788
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
                                        5⤵
                                          PID:5392
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
                                          5⤵
                                          • Uses browser remote debugging
                                          PID:6840
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
                                          5⤵
                                          • Uses browser remote debugging
                                          PID:6688
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
                                          5⤵
                                            PID:5360
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2680 /prefetch:2
                                            5⤵
                                              PID:6676
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
                                              5⤵
                                              • Uses browser remote debugging
                                              PID:6548
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
                                              5⤵
                                              • Uses browser remote debugging
                                              PID:6776
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4388 /prefetch:2
                                              5⤵
                                                PID:5184
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2420 /prefetch:2
                                                5⤵
                                                  PID:6360
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,12874495769087835896,7616432592611206611,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1980 /prefetch:2
                                                  5⤵
                                                    PID:4716
                                              • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                PID:4976
                                                • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                  C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Accesses Microsoft Outlook profiles
                                                  • System Location Discovery: System Language Discovery
                                                  • outlook_office_path
                                                  • outlook_win_path
                                                  PID:4584
                                                • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                  C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                  4⤵
                                                  • Executes dropped EXE
                                                  PID:72
                                                • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                  C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                  4⤵
                                                  • Executes dropped EXE
                                                  PID:4068
                                              • C:\Users\Admin\AppData\Local\Temp\a\random.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
                                                3⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                PID:4332
                                              • C:\Users\Admin\AppData\Local\Temp\a\unik.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\unik.exe"
                                                3⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                PID:4492
                                              • C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                • Suspicious use of FindShellTrayWindow
                                                PID:3748
                                              • C:\Users\Admin\AppData\Local\Temp\a\test28.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\test28.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                PID:1212
                                              • C:\Users\Admin\AppData\Local\Temp\a\test26.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\test26.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                PID:3352
                                              • C:\Users\Admin\AppData\Local\Temp\a\test27.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\test27.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                PID:5892
                                              • C:\Users\Admin\AppData\Local\Temp\a\test29.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\test29.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                PID:2288
                                              • C:\Users\Admin\AppData\Local\Temp\a\test25.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\test25.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                PID:7116
                                              • C:\Users\Admin\AppData\Local\Temp\a\test24.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\test24.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                PID:6268
                                              • C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
                                                "C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:6672
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                              2⤵
                                                PID:352
                                            • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                              "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                              1⤵
                                                PID:3892

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Reconnaissance

                                              Resource Development

                                              Initial Access

                                              Execution

                                              Command and Scripting Interpreter

                                              1
                                              T1059

                                              PowerShell

                                              1
                                              T1059.001

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Persistence

                                              Modify Authentication Process

                                              1
                                              T1556

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Privilege Escalation

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Defense Evasion

                                              Hide Artifacts

                                              1
                                              T1564

                                              Hidden Files and Directories

                                              1
                                              T1564.001

                                              Modify Authentication Process

                                              1
                                              T1556

                                              Virtualization/Sandbox Evasion

                                              4
                                              T1497

                                              Credential Access

                                              Credentials from Password Stores

                                              1
                                              T1555

                                              Credentials from Web Browsers

                                              1
                                              T1555.003

                                              Modify Authentication Process

                                              1
                                              T1556

                                              Steal Web Session Cookie

                                              1
                                              T1539

                                              Unsecured Credentials

                                              1
                                              T1552

                                              Credentials In Files

                                              1
                                              T1552.001

                                              Discovery

                                              Browser Information Discovery

                                              1
                                              T1217

                                              Peripheral Device Discovery

                                              2
                                              T1120

                                              Query Registry

                                              11
                                              T1012

                                              Remote System Discovery

                                              1
                                              T1018

                                              System Information Discovery

                                              7
                                              T1082

                                              System Location Discovery

                                              1
                                              T1614

                                              System Language Discovery

                                              1
                                              T1614.001

                                              System Network Configuration Discovery

                                              1
                                              T1016

                                              Internet Connection Discovery

                                              1
                                              T1016.001

                                              Virtualization/Sandbox Evasion

                                              4
                                              T1497

                                              Lateral Movement

                                              Collection

                                              Data from Local System

                                              1
                                              T1005

                                              Email Collection

                                              1
                                              T1114

                                              Command and Control

                                              Web Service

                                              1
                                              T1102

                                              Exfiltration

                                              Impact

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\ProgramData\GDGIJECGDGCB\FIDHCFBAK
                                                Filesize

                                                40KB

                                                MD5

                                                a182561a527f929489bf4b8f74f65cd7

                                                SHA1

                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                SHA256

                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                SHA512

                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                Filesize

                                                2B

                                                MD5

                                                d751713988987e9331980363e24189ce

                                                SHA1

                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                SHA256

                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                SHA512

                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                Filesize

                                                2KB

                                                MD5

                                                627073ee3ca9676911bee35548eff2b8

                                                SHA1

                                                4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                SHA256

                                                85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                SHA512

                                                3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                02a4b762e84a74f9ee8a7d8ddd34fedb

                                                SHA1

                                                4a870e3bd7fd56235062789d780610f95e3b8785

                                                SHA256

                                                366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

                                                SHA512

                                                19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                826c7cac03e3ae47bfe2a7e50281605e

                                                SHA1

                                                100fbea3e078edec43db48c3312fbbf83f11fca0

                                                SHA256

                                                239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

                                                SHA512

                                                a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                eb2516936ec91e4a671f5fcda206d9e6

                                                SHA1

                                                09ddc9e73437ce35aa1a9d6e17af95c4d13c6c33

                                                SHA256

                                                dfa65df447443e7a5af77a76e7d544b782f4c3b3ae744a4698bab9b3caa41cf1

                                                SHA512

                                                c050ed4ae043003a9589f66f3a572f37577cd9867c72980f03db406f7c99f07cba711ff871ac9903bf623c6fb8615b8418518822188a9fd9e6ef5cd289e8bcd9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                                Filesize

                                                264KB

                                                MD5

                                                f50f89a0a91564d0b8a211f8921aa7de

                                                SHA1

                                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                SHA256

                                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                SHA512

                                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3UZNLR3Y\download[1].htm
                                                Filesize

                                                1B

                                                MD5

                                                cfcd208495d565ef66e7dff9f98764da

                                                SHA1

                                                b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                SHA256

                                                5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                SHA512

                                                31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                                                SHA1

                                                fed70ce7834c3b97edbd078eccda1e5effa527cd

                                                SHA256

                                                21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                                                SHA512

                                                1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                948B

                                                MD5

                                                75750301db717dee0ddce4939072ec41

                                                SHA1

                                                d4a763f4ced8ff5be9df24e0d6ec676a7a080527

                                                SHA256

                                                abfcadfc1dab687291dec5402f5472132f4d2460e85a498a37efa5ac9dc09888

                                                SHA512

                                                e02fbfc783aeb85a16422baf6df381b88415a89a29316695e48c1edb65745ec801759e276803207645d59b81e3ad38f584caad824772035ee6ce46c333f75ce3

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                1KB

                                                MD5

                                                0ac871344dc49ae49f13f0f88acb4868

                                                SHA1

                                                5a073862375c7e79255bb0eab32c635b57a77f98

                                                SHA256

                                                688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

                                                SHA512

                                                ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                1KB

                                                MD5

                                                9402c815c24778d14ceb8f13bff17188

                                                SHA1

                                                73fe123e5546ab00211dd0a0eed5a639c9bf60bf

                                                SHA256

                                                e6cbc21e42e21db1d8cf2b9333af227772bd94be3611e5e689a578eb4ad19d46

                                                SHA512

                                                a5ce6180e902c2f486c2f1c334ed47bf9f77c569a00279447b20fa5fb6b0f0b4d55dbf82e0e81ac1c8e2d2a9dbedb65dbdfbb4006f500373371f14df37d2ac9c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fa2051oa.okz.ps1
                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
                                                Filesize

                                                234KB

                                                MD5

                                                718d9132e5472578611c8a24939d152d

                                                SHA1

                                                8f17a1619a16ffbbc8d57942bd6c96b4045e7d68

                                                SHA256

                                                09810b0365c5ac275cca1a45ea00b00fdca819b7f10ce2c8a6a50a456d9e1ced

                                                SHA512

                                                6ae73ad6156bafa2e3f9a2b3466bca4d0a38d562b40aa29a84b6c9fe9380d2f99d73235b5d70208d6f2a3f607710eebf8c4daed6d387add0d933933fdd8c05de

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
                                                Filesize

                                                63KB

                                                MD5

                                                56c640c4191b4b95ba344032afd14e77

                                                SHA1

                                                c93a0fd32b46718ca3bc7d1c78ae6236b88ef3c9

                                                SHA256

                                                ebd4b1ab90350e2f13d46f2a356d5a637d5bec704cf3af211c43a89cb11dd142

                                                SHA512

                                                617512f96443b7cc9cc315d2eb0322d8b359218d459e80821563336b67ac263f1da9b00c75bde73320d6540572552c47b436c683c862f19b5ed470273001e63e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
                                                Filesize

                                                409KB

                                                MD5

                                                2d79aec368236c7741a6904e9adff58f

                                                SHA1

                                                c0b6133df7148de54f876473ba1c64cb630108c1

                                                SHA256

                                                b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35

                                                SHA512

                                                022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
                                                Filesize

                                                7KB

                                                MD5

                                                07edde1f91911ca79eb6088a5745576d

                                                SHA1

                                                00bf2ae194929c4276ca367ef6eca93afba0e917

                                                SHA256

                                                755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

                                                SHA512

                                                8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
                                                Filesize

                                                2.1MB

                                                MD5

                                                169a647d79cf1b25db151feb8d470fc7

                                                SHA1

                                                86ee9ba772982c039b070862d6583bcfed764b2c

                                                SHA256

                                                e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708

                                                SHA512

                                                efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\aa.exe
                                                Filesize

                                                74KB

                                                MD5

                                                447523b766e4c76092414a6b42080308

                                                SHA1

                                                f4218ea7e227bde410f5cbd6b26efd637fc35886

                                                SHA256

                                                3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

                                                SHA512

                                                98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
                                                Filesize

                                                63KB

                                                MD5

                                                9efaf6b98fdde9df4532d1236b60619f

                                                SHA1

                                                5d1414d09d54de16b04cd0cd05ccfc0692588fd1

                                                SHA256

                                                7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

                                                SHA512

                                                eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
                                                Filesize

                                                56KB

                                                MD5

                                                a7b36da8acc804d5dd40f9500277fea9

                                                SHA1

                                                5c80776335618c4ad99d1796f72ebeb53a12a40b

                                                SHA256

                                                b820302d0d553406ab7b2db246c15ac87cb62a8e9c088bda2261fe5906fc3672

                                                SHA512

                                                ee1a8b3fdc049f90c0a4cfe166a7bde04eb6c55a261ad9f9574c995ea782b9e2398ac7028a258ea737aea81326fa3f85e609f3e1510373b9925dc03dcb0dee52

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                                Filesize

                                                320KB

                                                MD5

                                                3050c0cddc68a35f296ba436c4726db4

                                                SHA1

                                                199706ee121c23702f2e7e41827be3e58d1605ea

                                                SHA256

                                                6bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2

                                                SHA512

                                                b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
                                                Filesize

                                                8KB

                                                MD5

                                                fc58aae64a21beb97e1f8eb000610801

                                                SHA1

                                                d377b4da7d8992b0c00455b88550515369b48c78

                                                SHA256

                                                a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

                                                SHA512

                                                601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
                                                Filesize

                                                74KB

                                                MD5

                                                4b1b45bb55ccdd4b078459ade3763e6d

                                                SHA1

                                                049344853c902e22e70ae231c669bf0751185716

                                                SHA256

                                                1f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46

                                                SHA512

                                                b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\output.exe
                                                Filesize

                                                41KB

                                                MD5

                                                a0e598ec98a975405420be1aadaa3c2a

                                                SHA1

                                                d861788839cfb78b5203686334c1104165ea0937

                                                SHA256

                                                e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

                                                SHA512

                                                e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\random.exe
                                                Filesize

                                                1.9MB

                                                MD5

                                                50a2b1ed762a07b62770d1532a5c0e57

                                                SHA1

                                                3e89b640f5bc1cfd6da2dded0f6aea947a7f6353

                                                SHA256

                                                859fca2ff16a4c2e55accf995c415e046c4d4150fb3b50064ee26acbb02cb853

                                                SHA512

                                                207ad9f0a03fbb9bd58087fb49bd84c71493e4e840a367b0732b8dc836184845c4c0b9f873a9c068ca3295786a283d2bd936aa01cc87e9a3f1e26e2cfcabf7ca

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
                                                Filesize

                                                229KB

                                                MD5

                                                1e10af7811808fc24065f18535cf1220

                                                SHA1

                                                65995bcb862aa66988e1bb0dbff75dcac9b400c7

                                                SHA256

                                                e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

                                                SHA512

                                                f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\start.exe
                                                Filesize

                                                45KB

                                                MD5

                                                b733e729705bf66c1e5c66d97e247701

                                                SHA1

                                                25eec814abdf1fc6afe621e16aa89c4eb42616b9

                                                SHA256

                                                9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

                                                SHA512

                                                09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\test24.exe
                                                Filesize

                                                354KB

                                                MD5

                                                6afc3c2a816aed290389257f6baedfe2

                                                SHA1

                                                7a6882ad4753745201e57efd526d73092e3f09ca

                                                SHA256

                                                ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1

                                                SHA512

                                                802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\test25.exe
                                                Filesize

                                                354KB

                                                MD5

                                                c9942f1ac9d03abdb6fa52fe6d789150

                                                SHA1

                                                9a2a98bd2666344338c9543acfc12bc4bca2469b

                                                SHA256

                                                19fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2

                                                SHA512

                                                8544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\test26.exe
                                                Filesize

                                                354KB

                                                MD5

                                                b9054fcd207162b0728b5dfae1485bb7

                                                SHA1

                                                a687dc87c8fb69c7a6632c990145ae8d598113ce

                                                SHA256

                                                db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc

                                                SHA512

                                                76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\test27.exe
                                                Filesize

                                                354KB

                                                MD5

                                                ae1904cb008ec47312a8cbb976744cd4

                                                SHA1

                                                7fce66e1a25d1b011df3ed8164c83c4cc78d0139

                                                SHA256

                                                819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257

                                                SHA512

                                                52b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\test28.exe
                                                Filesize

                                                354KB

                                                MD5

                                                1fa166752d9ff19c4b6d766dee5cce89

                                                SHA1

                                                80884d738936b141fa173a2ed2e1802e8dfcd481

                                                SHA256

                                                8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0

                                                SHA512

                                                5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\test29.exe
                                                Filesize

                                                354KB

                                                MD5

                                                fccc38fc0f68b8d2757ee199db3b5d21

                                                SHA1

                                                bc38fe00ad9dd15cecca295e4046a6a3b085d94d

                                                SHA256

                                                b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14

                                                SHA512

                                                219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
                                                Filesize

                                                4.2MB

                                                MD5

                                                ac8ca19033e167cae06e3ab4a5e242c5

                                                SHA1

                                                8794e10c8f053b5709f6610f85fcaed2a142e508

                                                SHA256

                                                d6efeb15923ac6c89b65f87a0486e18e0b7c5bff0d4897173809d1515a9ed507

                                                SHA512

                                                524aa417a1bbec3e8fafaf88d3f08851b0adf439f7a3facdd712d24314796f22b5602a7340c4efdfd957ee520c490021323b7faaf9061b99f23385c3498e2b0d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\unik.exe
                                                Filesize

                                                1.9MB

                                                MD5

                                                8d4744784b89bf2c1affb083790fdc88

                                                SHA1

                                                d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5

                                                SHA256

                                                d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75

                                                SHA512

                                                b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
                                                Filesize

                                                2.9MB

                                                MD5

                                                45fe36d03ea2a066f6dd061c0f11f829

                                                SHA1

                                                6e45a340c41c62cd51c5e6f3b024a73c7ac85f88

                                                SHA256

                                                832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6

                                                SHA512

                                                c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\a\xs.exe
                                                Filesize

                                                56KB

                                                MD5

                                                717f7ee9f178509f07ace113f47bb6d1

                                                SHA1

                                                6ce32babec7538b702d38483ac6031c18a209f96

                                                SHA256

                                                50f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85

                                                SHA512

                                                5ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\tmpECE0.tmp.bat
                                                Filesize

                                                148B

                                                MD5

                                                f1b8f5def62d64570ea3f2c8887629cc

                                                SHA1

                                                7c738465809952758235ff2b02f386c899e41a65

                                                SHA256

                                                1905803c5e907a7ed05924d467fffc1447db1390401f84d92174304f6d0fea7b

                                                SHA512

                                                472d2161c502f41d8df86bc6effcdeea70e9ebdad06bf0639c125363e08339f453f86bbc758ef9109bfae339d1410e56278c5302e152d147efd7048417cea757

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\tmpED3E.tmp.bat
                                                Filesize

                                                162B

                                                MD5

                                                5c8f8d10ae16b4c7fa4704f908657e58

                                                SHA1

                                                cf14a11905dcb1cdc0ff10d98a43f23b09e8ced2

                                                SHA256

                                                e912d75b9572ba24c27ada1b22ec71ed5b4dbb05e2e4bed20c2a57aa90225c8a

                                                SHA512

                                                d2359723076bdcb71f28da566e6278e0f2356e7e9c5fbd042f9823125581b8de973614fa8af93bb3356f0669b762e2e2f231e11aef9988d24bdc10c620094413

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\tmpF5AA.tmp.bat
                                                Filesize

                                                152B

                                                MD5

                                                f263eb9a6666a6fdd1db413c20c6bd67

                                                SHA1

                                                5cbe5750f5981d8d607be8e6650df765140ac058

                                                SHA256

                                                4adcb2a105f08e764d2da84c8cb142674bfcc5dd46d9373acd12c432e8d81c90

                                                SHA512

                                                f2ad4d3c152943dc197b61803f485219c11dd41483b35151d629df28a2b3c073d3591a078b4efbb09a8bd6e0b17de1f32913d2b7bc660b607efb02f3cf9f02a8

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\tmpF647.tmp.bat
                                                Filesize

                                                151B

                                                MD5

                                                b63153ac3e0690989f736ddb212321c9

                                                SHA1

                                                16b394a6e6e18dc55667bd2b7eb16bccd6e6d863

                                                SHA256

                                                425fbad8137354444309221f43f41495c2f056d7a72a608d2aaff813fd19cb32

                                                SHA512

                                                441ff22326f89289ed8396dc7360d3ec30ebd7ed4a81e3c4cd842e903923f2623e086948f1a39eee94a160f04a49403fe30a1ed6456574c4cac0cdc702430826

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
                                                Filesize

                                                8B

                                                MD5

                                                cf759e4c5f14fe3eec41b87ed756cea8

                                                SHA1

                                                c27c796bb3c2fac929359563676f4ba1ffada1f5

                                                SHA256

                                                c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                                                SHA512

                                                c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                                                Download Submit

                                              • C:\Windows\system32\drivers\etc\hosts
                                                Filesize

                                                2KB

                                                MD5

                                                4028457913f9d08b06137643fe3e01bc

                                                SHA1

                                                a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                                SHA256

                                                289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                                SHA512

                                                c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                                Download Submit

                                              • memory/284-191-0x0000000000400000-0x0000000000412000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/352-5598-0x0000026D96E20000-0x0000026D96E76000-memory.dmp

                                                Filesize

                                                344KB

                                                Download

                                              • memory/352-1601-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                Filesize

                                                824KB

                                                Download

                                              • memory/352-1602-0x0000026D96D90000-0x0000026D96D98000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/352-1603-0x0000026DB1080000-0x0000026DB118A000-memory.dmp

                                                Filesize

                                                1.0MB

                                                Download

                                              • memory/1156-60-0x000001C26EB10000-0x000001C26EB32000-memory.dmp

                                                Filesize

                                                136KB

                                                Download

                                              • memory/1364-41-0x00000202C6520000-0x00000202C6560000-memory.dmp

                                                Filesize

                                                256KB

                                                Download

                                              • memory/1364-212-0x00000202E0DB0000-0x00000202E0DC2000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/1364-211-0x00000202C8370000-0x00000202C837A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/1364-141-0x00000202E0D30000-0x00000202E0DA6000-memory.dmp

                                                Filesize

                                                472KB

                                                Download

                                              • memory/1364-145-0x00000202C8380000-0x00000202C83D0000-memory.dmp

                                                Filesize

                                                320KB

                                                Download

                                              • memory/1364-148-0x00000202C8330000-0x00000202C834E000-memory.dmp

                                                Filesize

                                                120KB

                                                Download

                                              • memory/1580-54-0x0000000000610000-0x0000000000626000-memory.dmp

                                                Filesize

                                                88KB

                                                Download

                                              • memory/1900-344-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-318-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-303-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-352-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-350-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-348-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-333-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-346-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-314-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-342-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-338-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-336-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-334-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-330-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-328-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-326-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-324-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-322-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-321-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-1490-0x000001D2651B0000-0x000001D2651FC000-memory.dmp

                                                Filesize

                                                304KB

                                                Download

                                              • memory/1900-316-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-312-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-310-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-308-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-306-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-304-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-301-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-298-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-296-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-294-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-292-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-290-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-289-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-1592-0x000001D265240000-0x000001D265294000-memory.dmp

                                                Filesize

                                                336KB

                                                Download

                                              • memory/1900-340-0x000001D264E00000-0x000001D264F98000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-288-0x000001D264E00000-0x000001D264F9E000-memory.dmp

                                                Filesize

                                                1.6MB

                                                Download

                                              • memory/1900-287-0x000001D24A4A0000-0x000001D24A6BC000-memory.dmp

                                                Filesize

                                                2.1MB

                                                Download

                                              • memory/1900-1489-0x000001D2650A0000-0x000001D2651AE000-memory.dmp

                                                Filesize

                                                1.1MB

                                                Download

                                              • memory/1940-158-0x00000000006F0000-0x0000000000704000-memory.dmp

                                                Filesize

                                                80KB

                                                Download

                                              • memory/2212-101-0x0000000000F30000-0x0000000000F38000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/2212-178-0x0000000005960000-0x000000000596A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/2212-182-0x0000000006480000-0x000000000651C000-memory.dmp

                                                Filesize

                                                624KB

                                                Download

                                              • memory/2436-29-0x00000000007C0000-0x00000000007D0000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/2504-5747-0x0000000000400000-0x000000000066D000-memory.dmp

                                                Filesize

                                                2.4MB

                                                Download

                                              • memory/2504-570-0x0000000000400000-0x000000000066D000-memory.dmp

                                                Filesize

                                                2.4MB

                                                Download

                                              • memory/3148-115-0x0000000000BC0000-0x0000000000BD8000-memory.dmp

                                                Filesize

                                                96KB

                                                Download

                                              • memory/3184-87-0x0000000000150000-0x0000000000164000-memory.dmp

                                                Filesize

                                                80KB

                                                Download

                                              • memory/3344-196-0x0000000000D80000-0x0000000000D92000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/3508-142-0x00000000006F0000-0x0000000000708000-memory.dmp

                                                Filesize

                                                96KB

                                                Download

                                              • memory/3748-1547-0x00007FF7A5AE0000-0x00007FF7A6730000-memory.dmp

                                                Filesize

                                                12.3MB

                                                Download

                                              • memory/3748-3970-0x00007FF7A5AE0000-0x00007FF7A6730000-memory.dmp

                                                Filesize

                                                12.3MB

                                                Download

                                              • memory/4332-5691-0x0000000000400000-0x00000000008B9000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/4332-1509-0x0000000000400000-0x00000000008B9000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/4332-1591-0x0000000000400000-0x00000000008B9000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/4492-2105-0x0000000000400000-0x00000000008BA000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/4492-1521-0x0000000000400000-0x00000000008BA000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/4492-5751-0x0000000000400000-0x00000000008BA000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/4652-14-0x0000000000310000-0x0000000000326000-memory.dmp

                                                Filesize

                                                88KB

                                                Download

                                              • memory/4652-15-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4652-5745-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4652-16-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4652-237-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4652-17-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4808-90-0x0000000005D00000-0x00000000062A6000-memory.dmp

                                                Filesize

                                                5.6MB

                                                Download

                                              • memory/4808-86-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/4808-127-0x0000000005A00000-0x0000000005A0A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/4808-100-0x0000000005850000-0x00000000058E2000-memory.dmp

                                                Filesize

                                                584KB

                                                Download

                                              • memory/4864-42-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4864-5752-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4864-2-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4864-0-0x00007FFB801F3000-0x00007FFB801F5000-memory.dmp

                                                Filesize

                                                8KB

                                                Download

                                              • memory/4864-1-0x0000000000240000-0x0000000000248000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/4976-1156-0x00000000052E0000-0x00000000052E6000-memory.dmp

                                                Filesize

                                                24KB

                                                Download

                                              • memory/4976-1043-0x00000000008D0000-0x0000000000926000-memory.dmp

                                                Filesize

                                                344KB

                                                Download

                                              • memory/4976-1304-0x0000000004BB0000-0x0000000004C12000-memory.dmp

                                                Filesize

                                                392KB

                                                Download

                                              • memory/4976-1488-0x0000000005330000-0x0000000005336000-memory.dmp

                                                Filesize

                                                24KB

                                                Download