Overview

overview

10

Static

static

3

Google aIc....1.exe

windows10-ltsc_2021-x64

10

Google aIc....1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2025, 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Google aIc Browser v1.4.1.exe

  • Size

    83.8MB

  • MD5

    d62de6a53a4ab61def2c33c19423fe75

  • SHA1

    24607d81474572149837d2c06b644e328997080e

  • SHA256

    0efc7a12733cab4458e5ffaec5060e2bc8269e198fe03e8b81e78fd3f923a3dd

  • SHA512

    b9eb33a6b082c6f193e97d65f0ea8a01b5a66a43181e3cc2d0d469aa4e72113747c531e03a3fb55ac80131547bb84def346c34a6355d0b6915b009ad1e846908

  • SSDEEP

    1572864:gnU4QJmFhXw6H2Pso8/5Cik3D7Mg0BoQ5QzR0FT3x0YH4eJl21MyV0q0EFxrBY:gn93Flw6H2PO5CikEg0BoQLFFZ4eJYfM

Score
10/10
valleyrat_s2backdoordiscoveryexecution

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

C2

27.124.40.155:18091

27.124.40.155:18092

27.124.40.155:18093
Attributes
  • campaign_date

    2024.12. 3

Signatures

  • ValleyRat

    ValleyRat stage2 is a backdoor written in C++.

    backdoorvalleyrat_s2
  • Valleyrat_s2 family
    valleyrat_s2
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 6 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Google aIc Browser v1.4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Google aIc Browser v1.4.1.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -ExclusionPath C:\, D:\, E:\, F:\, G:\, H:\, I:\, J:\, K:\, L:\, M:\, N:\, O:\, P:\, Q:\, R:\, S:\, T:\, U:\, V:\, W:\, X:\, Y:\, Z:\
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4736
    • C:\Windows\SysWOW64\wscript.exe
      wscript //B "C:\Users\Admin\AppData\Roaming\TrustAsia\Logs.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\TrustAsia\TrustAsia.ps1"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5064
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ncps0b0r\ncps0b0r.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:6020
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9AF.tmp" "c:\Users\Admin\AppData\Local\Temp\ncps0b0r\CSC6C88E583AC5A44878ECF407185F8639.TMP"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4988
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /B /c "C:\Users\Admin\AppData\Local\Temp\monitor.bat"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 5064"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5656
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "5064"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1456
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:3824
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 5064"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:644
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "5064"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:6004
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1728
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 5064"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:852
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "5064"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3112
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1112
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 5064"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5896
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "5064"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2080
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:660
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 5064"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4796
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "5064"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4756
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:5056
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 5064"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "5064"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4488
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:6000
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:468
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3868
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5724
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3180
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5052
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4516
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
    • C:\Users\Admin\AppData\Local\SGuardSvc32.exe
      "C:\Users\Admin\AppData\Local\SGuardSvc32.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\SysWOW64\edpnotify.exe
        C:\Windows\SysWOW64\edpnotify.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d0c46cad6c0778401e21910bd6b56b70

    SHA1

    7be418951ea96326aca445b8dfe449b2bfa0dca6

    SHA256

    9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

    SHA512

    057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    4323e49ccfe3440cd2f4d6b39afa0ca2

    SHA1

    5c8275498d779d7a2871badfe5177138341f3852

    SHA256

    95ae864e7c2f9c6c2513bc3dae324d1d3d17124ea7776d00ec352587245a6f96

    SHA512

    d2ebee400b77a4073a43f03cf5d7375585f9348fda606bd04c7c13967d90a113d85765b018e9e568fe2085d5dc7d21cf00863be675e2f3b818569c5cd8872f5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    73f98d55c2a3ec2580f636d84ea3c211

    SHA1

    6b2bfc24a5fce525b3ec7d674cb058d93f75fe8e

    SHA256

    1921365d34438b08b9b3541b189d15508d2d1227135ae7a6566dd3f22d06e70f

    SHA512

    6f1a60362b693260a559f50faed931ca2cd89d4abf3fc5010799056988464a4bc3186832cb0644aeb7e81aa32b4c8d10f4eba262769de5da1ccbf6defc3903c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    20KB

    MD5

    61e184804d72945e43c30743b35d9f18

    SHA1

    c0c48831c77d39779ec3390bf7476483289d48ba

    SHA256

    ae514a6e580c7c6ae8b96287201a243e5aae322a4be37bcd9521f1f6407347d9

    SHA512

    8560cd8fad6a8a86adc7e5c14133e71c77856ca94f1f74e7e509f649e7e42ecbb7b166250aa747dbccee1b8614055e6357102005bd6cac12b2478bceb4e0fe9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    20KB

    MD5

    8b2b628a1d49ba33238de0db8439c3b2

    SHA1

    7ac81fa168f21d8bced45935de97733da92bde54

    SHA256

    d81c8f3f60544c14209d2af3f30496979f5a658aba38e1d1499021de62c1afa6

    SHA512

    f0cd273491b96e23d6ec62eb5864d780a8e3679b401cfaaf6c87bd2b33d4b5fecce4fc9b9d9dd1474e37cb85dd84ba95c69f269b4c13a572c66042fc25454732

    Download Submit

  • C:\Users\Admin\AppData\Local\Protected.ini
    Filesize

    207KB

    MD5

    ec52fa862a056975e93d2acf7889cfcf

    SHA1

    cc973fc28c8deb59a3c79375e1d247761356874c

    SHA256

    6489e9e620d90228b431544d990a99d1c94ab7f8e68b2daae5e396cf1759bfec

    SHA512

    8e68f6338ddff7abae22d568fbb6a4dc9d4a30e11b1c4d47a3b06496036a3b0437576d681b801114734a53bfcaea48cdd789061ca7d44a0a4fd71384da765a71

    Download Submit

  • C:\Users\Admin\AppData\Local\Protected.json
    Filesize

    194KB

    MD5

    f5088d8e9f74af65dfce439c91ce5fda

    SHA1

    a5b87c273bdf258e746e6e21789e3033cd3eecfb

    SHA256

    459b001e277302d93177a59500f1fa99af2c02354ff296612406055ec62df45f

    SHA512

    f33751016a8ebc961ca979885212f8a7b47ebc8d6b610274f38e06908341ec38393f6b1eac6df412f45b66014254a73b53775ed19f929a7d3b38a62cc8a24f45

    Download Submit

  • C:\Users\Admin\AppData\Local\SGuardSvc32.exe
    Filesize

    725KB

    MD5

    923b08492146a6a3b8bd269eb25f6372

    SHA1

    e263b5265abeae655f0ef5000196dbb80c6eca9b

    SHA256

    2fdf2af92b069e06d9cb1d9713a6e34b7223a60214d17bf3f8ee0a4d6c9a4480

    SHA512

    6f51bfd0d5b195e218231470b4bc8d4700c804252d1af48dde13a2f298e15ff725bb0641fdc868dcaef381bd805b4a7a9433ed695198001c21eafd93c9d5867f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESE9AF.tmp
    Filesize

    1KB

    MD5

    292f18dfaa2e5991a8a2947f0a2bb2ec

    SHA1

    8e511e4daae7ea0c55ce1cfae9b83ed1a9b66325

    SHA256

    adab10e5fab5e331a88afddbf58eca045c2cdb1bd9a3ea6b1ee1ed9de78e6cb9

    SHA512

    57a70f81e6724b1cccf36aac3279de028017b0f0c6a7033dd58a0334f6ff0ee7799c364f342c7401307cad787e6ad9ddc68310759ca7bd69c2d89d160ebd2597

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_toqqwduv.vzf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\monitor.bat
    Filesize

    308B

    MD5

    f228f13dbde97578c2b622137fdee789

    SHA1

    1fe68592840fe03e88a181fbceca932826e9ff69

    SHA256

    61220af764ee8d7c326e4c77f66e97adf93d469c7d21c0490b377838d0d5aefd

    SHA512

    250b12c800a427ec11dcb125b573c2c304cd570f32acc5faf285d0cf43198eb7d886c44fe2ff9a87977e8b53ee239577530ce232a38db4879959755bc4703cf7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ncps0b0r\ncps0b0r.dll
    Filesize

    3KB

    MD5

    9f6a833146b7fa8f29e0daa249dec982

    SHA1

    1f51acf59ddc3abc73fdc9589f94315e079b9d21

    SHA256

    abec99ebe0a7747fde235a670767d03648138a4fb33b5cc484a7daff1698b2f9

    SHA512

    70894ce76c46d59cba96fc95967a66e3969b81f159944c04de2f9b765c30b9114b1a1904f92097789dcdd9dcba5d39774f0ee96d680181095713f1def6639a63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nseEA51.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    d095b082b7c5ba4665d40d9c5042af6d

    SHA1

    2220277304af105ca6c56219f56f04e894b28d27

    SHA256

    b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

    SHA512

    61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nseEA51.tmp\System.dll
    Filesize

    12KB

    MD5

    4add245d4ba34b04f213409bfe504c07

    SHA1

    ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    SHA256

    9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    SHA512

    1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nseEA51.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    2881e86e3c2c14f7ba8b0e6c20e88358

    SHA1

    170ba0577c591185b8725b7b2fb4c24e553dcfea

    SHA256

    b6a3ba38281e2d5a9c96bcbdf64ea947a0801c13c0e59e36a8ccc619a2bc44e8

    SHA512

    fceb63d8f6d9c77d4d016feda83154870058be8d617c6b82b55ba3bd17986563bb5060557fb829e63d00e58224635998733f1bbefb064520aa9dbaf84fd6c7aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nseEA51.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    fdf4b60941b49a7d541a6e72d01f0c05

    SHA1

    aad2400c551293a57583d1beffa88be47f3bc07f

    SHA256

    b91eaf597e282efa0e2ca867deceb3209b6d854d43c786a2d26217f7c7f8b038

    SHA512

    498a4d10b3c106de98252db50f152b3c13d2068955cf4eec11643b727ee85107c1943d8d8720007cc26e0ec080d469f29773be9f8000a2a6d40d11f07c7b4b84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nseEA51.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    3ebbcccd06aa6542d3f1c13d79244628

    SHA1

    2e593e93d0703d40f4a7b305a9250003b982e0fe

    SHA256

    635f3bb07514d5ce71273ec8a7085515b8abb0cb68598311b261db45bb0f4134

    SHA512

    e329676e81e898c2614f753c258a087c66756078396fc3abebe9789c3652932077270001bc67d62790797bc7478673ec8e426ae69a75341b027089caa9677938

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nseEA51.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    b4579bc396ace8cafd9e825ff63fe244

    SHA1

    32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

    SHA256

    01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

    SHA512

    3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\target.pid
    Filesize

    4B

    MD5

    1e747ddbea997a1b933aaf58a7953c3c

    SHA1

    a661210b22621d65bd0ceedc6d792b0444acaf61

    SHA256

    b28bb581f28c6301ef37c4f38ca420fccc0ad1870a1d45ab748da876be7784c5

    SHA512

    7ca6d322588df735e0a604a262f57f0f420a53ae63be91925f84b0021bcad302aac751e5d2f9ee04dab14d9f1ff1ddfa5718f55e4e8d8d200240f23073fc0c06

    Download Submit

  • C:\Users\Admin\AppData\Local\updated.ps1
    Filesize

    221B

    MD5

    9b111b45096065d52a01747528eed794

    SHA1

    6b54320b17f2f26dfdf07b0e3d1dcf9bc98a42c6

    SHA256

    77ef6e260b031433d6e78bd885166896649ed1289bb65ed2cd1343424583e305

    SHA512

    3b067d8ed3a61816e09248817a3f326203dce5619a1e4a6aa007f7cc8e18f89609a0c128e2a8c03762d3107c21f13388bf3be5ea6e2120ed3f1d2a2623a773cf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TrustAsia\Config.ini
    Filesize

    565KB

    MD5

    35e1593ae2b6e6a06e66baf4ba10a789

    SHA1

    a0e18d267a8f5df85660a2910e8ecb38e694ac47

    SHA256

    bee44653a83ec183338d0a8654565c5f519ebe05158d62cb16b5969d809022a7

    SHA512

    435a23ede1a968f30a0640acaf53dd95a1b752e34f2490c0b98a01339e425904e9f59df9c849c16331a1a6082d153cf14d951e1ebbc2b6b3dda7148b0a24d30e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TrustAsia\Logs.vbs
    Filesize

    296B

    MD5

    a6358b8bd98902002cbc1465bf276f01

    SHA1

    dfcb4633d17d8a15588d34a34cb6328a33e555c1

    SHA256

    3e5bec0f2a7b1b3c4d921580d0028fb6807b0589ca8d3496070d39c485ed91fc

    SHA512

    0024b856b828b37a275840157de7322d5713bc1136f5920dcd2684a37e0612c1c8823c15544bb5db8333a37821a38c83c6f587548fb551f13102cb3037eec469

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TrustAsia\TrustAsia.ps1
    Filesize

    1KB

    MD5

    959f4437520cc2aaa4752bfac7f2a7e2

    SHA1

    2d7097adac09c6c6a5dd330ff66a893ac5147bcf

    SHA256

    d3b3135e1321bcd24ccfc6fb2dc4be7531fc8740db10ee1ec5edae086603403b

    SHA512

    9fe9c40828798b12129d20add9f65620284c23e94475bbf6d1583034528e6e61147dd1fa2b9f36c3aaf6fd30f312eb1605e3d7a89fc7846f9f4db9ca807410e8

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ncps0b0r\CSC6C88E583AC5A44878ECF407185F8639.TMP
    Filesize

    652B

    MD5

    3c7b7ec294bdb3beb500ae503ad2801d

    SHA1

    611fdc25159f9f3b1db64e80ad2ce6ec8394235d

    SHA256

    e6772c33c87c6f94a8ed8f017ec023caa62430762b7d8ce202a7ada10a7d82f8

    SHA512

    a7c3a90b037ad1e1cb9ad6f9049cdd1fdc2a02f33b6fbc5fa9b0414e853510c99d390ae17a3167350fad24ebf83b50f5e87b57567bc2fb8a7f81e31160cdf50b

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ncps0b0r\ncps0b0r.0.cs
    Filesize

    266B

    MD5

    c09bbaf83f7558f61a7235b2860d45d1

    SHA1

    ab169ea364e917f698a69a760b3aceec33a6b209

    SHA256

    aa7ae06461aae58bb22b9c54bf79a1b42e153985f7cc9612bf02439204819d5c

    SHA512

    5b2e56406f1d620d2aa4fcfe7e2d824e583657e452b4a9cbf5be64d26d3050e9adf9ea4f1ec395eb514c05530eea5a3edb9b57b71fc34523136ad751675c52db

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ncps0b0r\ncps0b0r.cmdline
    Filesize

    369B

    MD5

    b835d541a7f0a0ab745908caf1d7e38e

    SHA1

    2d6595f9d66ce58e7542283b61cbec7bf40cbdcb

    SHA256

    06eda721765817f92d4884517eb977ba695a1cb43a67ac546a574591a81fb6da

    SHA512

    349929034d2879c2cbb27b00718b32e53a51c8cad83e4f849e6ffd8cbc3bd5aba422ae6299339d32366949abc5298d991f84ab602e5325266d2577f3fd199065

    Download Submit

  • memory/468-316-0x0000000007000000-0x0000000007015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/468-306-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/468-302-0x0000000006990000-0x0000000006A34000-memory.dmp

    Filesize

    656KB

    Download

  • memory/468-288-0x0000000070400000-0x000000007044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1612-357-0x0000000070400000-0x000000007044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2128-174-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2132-377-0x0000000070630000-0x0000000070987000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2132-376-0x0000000070400000-0x000000007044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4736-117-0x0000000006F00000-0x0000000006FA4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/4736-122-0x0000000007250000-0x0000000007261000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4736-85-0x0000000073A3E000-0x0000000073A3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4736-119-0x0000000007040000-0x000000000705A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4736-124-0x0000000007290000-0x00000000072A5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4736-125-0x00000000073A0000-0x00000000073BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4736-118-0x0000000007680000-0x0000000007CFA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4736-116-0x0000000073A30000-0x00000000741E1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4736-123-0x0000000007280000-0x000000000728E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4736-114-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4736-126-0x0000000007380000-0x0000000007388000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4736-115-0x0000000073A30000-0x00000000741E1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4736-113-0x0000000073A30000-0x00000000741E1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4736-86-0x00000000024C0000-0x00000000024F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4736-104-0x00000000703F0000-0x000000007043C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4736-103-0x00000000062C0000-0x00000000062F4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4736-102-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4736-87-0x0000000073A30000-0x00000000741E1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4736-88-0x0000000005120000-0x000000000574A000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4736-89-0x0000000004D60000-0x0000000004D82000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4736-101-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4736-100-0x00000000057E0000-0x0000000005B37000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4736-129-0x0000000073A30000-0x00000000741E1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4736-120-0x00000000070B0000-0x00000000070BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4736-91-0x0000000005070000-0x00000000050D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4736-90-0x0000000005000000-0x0000000005066000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4736-121-0x00000000072E0000-0x0000000007376000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5052-330-0x0000000070400000-0x000000007044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5052-331-0x0000000070630000-0x0000000070987000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5064-151-0x00000000071C0000-0x00000000071E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5064-266-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5064-407-0x0000000005170000-0x0000000005194000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5064-328-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5064-182-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5064-406-0x0000000005170000-0x0000000005194000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5064-147-0x00000000063C0000-0x000000000640C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5064-144-0x0000000005CF0000-0x0000000006047000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5064-167-0x00000000075F0000-0x00000000075F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5064-152-0x0000000007B50000-0x00000000080F6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5064-405-0x0000000008420000-0x0000000008458000-memory.dmp

    Filesize

    224KB

    Download

  • memory/5064-273-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5064-399-0x0000000005170000-0x0000000005194000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5064-392-0x0000000005170000-0x0000000005194000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5064-398-0x0000000005170000-0x0000000005194000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5064-400-0x0000000005170000-0x0000000005194000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5064-390-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5064-401-0x0000000005170000-0x0000000005194000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5064-402-0x0000000008420000-0x0000000008458000-memory.dmp

    Filesize

    224KB

    Download

  • memory/5064-403-0x0000000008420000-0x0000000008458000-memory.dmp

    Filesize

    224KB

    Download

  • memory/5064-404-0x0000000008420000-0x0000000008458000-memory.dmp

    Filesize

    224KB

    Download

  • memory/5724-307-0x0000000070400000-0x000000007044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5952-189-0x0000000010000000-0x0000000010037000-memory.dmp

    Filesize

    220KB

    Download

  • memory/5952-187-0x0000000000310000-0x0000000000344000-memory.dmp

    Filesize

    208KB

    Download