Overview

overview

10

Static

static

10

Shellbag analyzer.exe

windows7-x64

10

Shellbag analyzer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shellbag analyzer.exe

  • Size

    247KB

  • MD5

    d3b88d7974e5ef23ed78f97d18fd0f8a

  • SHA1

    cba12e2cfc60e994fbb7e99317c3130af9a532ea

  • SHA256

    a39234abb087b986209b4ed86dbecafb50347409f37f6d20f2ca82230c356f79

  • SHA512

    6e295e1f17e65d7685542304c8846ba076e4a52985a8cdc342cfa2969453050f6b7e98dbfe4f41247fe5dcce1f191daad42556913e04be0cc5a66c83909ab2b9

  • SSDEEP

    6144:/bwmPMVWrVb3rBPwF9kfK8rpClz0KBb6o589GHWHWujiSPbp:/bw8ZrB5gBuj/PV

Score
10/10
asyncratdefaultcollectioncredential_accessdiscoveryevasionexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

sdhjriajyp

Attributes
  • delay

    1

  • install

    true

  • install_file

    update.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/f2T8NYnM

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

    execution
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shellbag analyzer.exe
    "C:\Users\Admin\AppData\Local\Temp\Shellbag analyzer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4280
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6179.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3976
      • C:\Users\Admin\AppData\Roaming\update.exe
        "C:\Users\Admin\AppData\Roaming\update.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:3232
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          4⤵
          • System Network Configuration Discovery: Wi-Fi Discovery
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:3492
            • C:\Windows\system32\netsh.exe
              netsh wlan show profile
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:2060
            • C:\Windows\system32\findstr.exe
              findstr All
              5⤵
                PID:3240
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4568
              • C:\Windows\system32\chcp.com
                chcp 65001
                5⤵
                  PID:4336
                • C:\Windows\system32\netsh.exe
                  netsh wlan show networks mode=bssid
                  5⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:700
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                4⤵
                • System Network Configuration Discovery: Wi-Fi Discovery
                • Suspicious use of WriteProcessMemory
                PID:804
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  5⤵
                    PID:4664
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show profile
                    5⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Network Configuration Discovery: Wi-Fi Discovery
                    PID:1632
                  • C:\Windows\system32\findstr.exe
                    findstr All
                    5⤵
                      PID:4236
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1980
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      5⤵
                        PID:4272
                      • C:\Windows\system32\netsh.exe
                        netsh wlan show networks mode=bssid
                        5⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:3844
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe"' & exit
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3900
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe"'
                        5⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2040
                        • C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe
                          "C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe"
                          6⤵
                          • UAC bypass
                          • Windows security bypass
                          • Event Triggered Execution: Image File Execution Options Injection
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Windows security modification
                          • Adds Run key to start application
                          • Checks whether UAC is enabled
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:884
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe" /rl HIGHEST /f
                            7⤵
                              PID:3608
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe'"
                              7⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious use of AdjustPrivilegeToken
                              PID:436
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1580

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Active Setup

                1
                T1547.014

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Event Triggered Execution

                2
                T1546

                Image File Execution Options Injection

                1
                T1546.012

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Boot or Logon Autostart Execution

                2
                T1547

                Active Setup

                1
                T1547.014

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Event Triggered Execution

                2
                T1546

                Image File Execution Options Injection

                1
                T1546.012

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Impair Defenses

                3
                T1562

                Disable or Modify Tools

                3
                T1562.001

                Modify Registry

                6
                T1112

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                1
                T1552

                Credentials In Files

                1
                T1552.001

                Discovery

                Browser Information Discovery

                1
                T1217

                Query Registry

                4
                T1012

                System Information Discovery

                4
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                System Network Configuration Discovery

                1
                T1016

                Wi-Fi Discovery

                1
                T1016.002

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Email Collection

                1
                T1114

                Command and Control

                Web Service

                1
                T1102

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\Directories\Desktop.txt
                  Filesize

                  600B

                  MD5

                  a37f281bb41bfac10b2cf50e74cef0dd

                  SHA1

                  b777b183dd2e1475f5f65d4272493ab0ce7223fe

                  SHA256

                  397e0ebdefcc70203986f573b55f52d4843af3a3a6fd32faae0c899b495a3fd7

                  SHA512

                  153598788d38effb806fb8aca19e558de3c747ee81139311be72766b5c03259c3766c1419dfb05f10c0ca30c7c34d5c384dd6bea8ee1b70ba693bfbbde03577f

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\Directories\Documents.txt
                  Filesize

                  805B

                  MD5

                  ad23b09f266b2b2bc67f37b46b8b8455

                  SHA1

                  9d4ed7c79b7683ca8fcf073918cce0a66504c78d

                  SHA256

                  9357f61bccec494297591afb88365343f587ba5d3b7261085ab6bd3d2045bb71

                  SHA512

                  359ad04d555b11c8302c908d8f64fff8a39b34507aabb95100b9066ebea7112bfbaa5fd2bd1290880ecec50c01cbc51a3c997bf3c0c750965e95f74c72b31446

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\Directories\Downloads.txt
                  Filesize

                  633B

                  MD5

                  ce159708f6c1b540cb002cd01b57f640

                  SHA1

                  a29d63a6198c8703f865816dcc3be04024b98003

                  SHA256

                  430ea809f23f0a71d055e0af990812d6199948745a44dbf5d1480fca22344337

                  SHA512

                  37bdb96005bbc1f682723287daea71952c14c3e826dde00547452c2020b09608ddb5d5a3f695c3e3af90cbca391ce7ed7e1bfe76e8199398e9106c8de50a1ea5

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\Directories\OneDrive.txt
                  Filesize

                  25B

                  MD5

                  966247eb3ee749e21597d73c4176bd52

                  SHA1

                  1e9e63c2872cef8f015d4b888eb9f81b00a35c79

                  SHA256

                  8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

                  SHA512

                  bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\Directories\Pictures.txt
                  Filesize

                  291B

                  MD5

                  9a158d91ed9583794042aee3f11fa749

                  SHA1

                  3ac01589a530d2e65d76e0dd85fcb17fbbfba20c

                  SHA256

                  0881ef8f3faa62303b8622733522452839c6dc39f21d818f639a6073ac5fce6a

                  SHA512

                  4fbb18394ff1fff96704b27bd8fda89c813640868c6e1c011b5b376bf857fca7a5afd7335ca3adfd50620b1431018f45e17ef2ce42f7cb924f0dd2c924868ede

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\Directories\Startup.txt
                  Filesize

                  24B

                  MD5

                  68c93da4981d591704cea7b71cebfb97

                  SHA1

                  fd0f8d97463cd33892cc828b4ad04e03fc014fa6

                  SHA256

                  889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

                  SHA512

                  63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\Directories\Videos.txt
                  Filesize

                  23B

                  MD5

                  1fddbf1169b6c75898b86e7e24bc7c1f

                  SHA1

                  d2091060cb5191ff70eb99c0088c182e80c20f8c

                  SHA256

                  a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

                  SHA512

                  20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Desktop.jpg
                  Filesize

                  83KB

                  MD5

                  c96624b6d41ddafaec0cea0204105432

                  SHA1

                  70e5bced67b4bd0aa15819b6a7d7affca2adce5f

                  SHA256

                  e3a20ffc503260e603aa3cb919a3503f088993fc0724021b61d5a3fb6939f388

                  SHA512

                  1d47fb383a7bd7fe3deb17c7b26c0fce6f5aeb130ed3103a1f391262a6c9980d665dc4e3c1c99dc60ec45887195ec1b9dc31c152ee0c1a2bc3f44a5b53ef8f00

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
                  Filesize

                  4KB

                  MD5

                  050a8a4452a27021e7472b25cadcb66b

                  SHA1

                  a1c47d56c92115813ad581fc38d7f6bcc6c0604c

                  SHA256

                  938ad74a75225bd66c76f44ab5ea387f69370cdd4b288fba307c702840ff678f

                  SHA512

                  40eec7b92fd13abc61735d8b8eb776eee9aac9a9a6deebac31764da443c2897e646a579e6d003b65027ab9d138bd71d5f5e7e19172c0bb92cd7e7cc9806f3008

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
                  Filesize

                  798B

                  MD5

                  50bfe25e8e039455d2b9d1e448d52d54

                  SHA1

                  e1ab4f6148e413626bec59766adce34bdb8c307a

                  SHA256

                  a02497350e2f0fa025e4d836c2efa338882bca9536b7444db0fa6d14d0f78320

                  SHA512

                  23fe3aa92261c9700668b5598e72fc3fccf31c185e71df083cad60e0982499f6cfee11a986220c2ad0b553f579d5c0cd4657a7f7964a8045f29c77379c505010

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
                  Filesize

                  2KB

                  MD5

                  99afa707d58944ff9fe9c8796ee4c7d7

                  SHA1

                  9cc64c5100e06d3147331fd3727f93f4a786c1c3

                  SHA256

                  c8a833955bf326f478c6e58c2985c9fd2b2c29449c605c68f896da40d84bd55a

                  SHA512

                  2667fcdbe8c10528e3bc16b8bd4214d2572ee6633befcf0bc4fd61f0d17ba6977f8cf7ddcb93c26108b8638141cf646dada7a04335d5ecae8501748e29fc15bd

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
                  Filesize

                  2KB

                  MD5

                  28991c2c762e7ce68ec84e60a4b2d6e2

                  SHA1

                  838f22a138917b75d0f06ce10c04c8059b129d3f

                  SHA256

                  c175ff523f457d93af978d20f27d688465c97fcc991a1783042dd6d7896e6baa

                  SHA512

                  e9eba1ee0a2fe7c0c52dda49671205c2d6e23723694f4a50ff458becbefc951e2035ebe3eea7cb1931024a72ed1e4d14ff9ed9a3d040b12867f63b90969c5f31

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
                  Filesize

                  3KB

                  MD5

                  b4cf9951221a99cec075d32b327b2757

                  SHA1

                  dddab45f7a60d728026b4a8791c3b2bbdea6af24

                  SHA256

                  7939fbf6900336c4234c8c4eb5bd9034337dec7af259bc1a10ad11b49f45338c

                  SHA512

                  a383fe0ed527bfc846c9c9b3ef051542597069b150d53d0c6f79d5eb6de576f5648305b0b4b6b0ce417652a70f7b4dd48af802fbae78c6b64d3d592c408e50c1

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
                  Filesize

                  4KB

                  MD5

                  8efc8d83dbc55893b0c4d9ed84421c5c

                  SHA1

                  6dcc3397f8041761348eecb3824820543d83d0c4

                  SHA256

                  4957dfe63446ec81d43164a358fe50d923ef0d88d7b2ec3330c1757fa0ea4d15

                  SHA512

                  2b68f54bb761ce1053abba794bf6738f3d84f7e26e3d65cab2a7aca0e16a8e69dee52c35002d3051c1f11f145843c9bdc9f334515997375f8ef68aadf2047a86

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\ProductKey.txt
                  Filesize

                  29B

                  MD5

                  71eb5479298c7afc6d126fa04d2a9bde

                  SHA1

                  a9b3d5505cf9f84bb6c2be2acece53cb40075113

                  SHA256

                  f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

                  SHA512

                  7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Windows.txt
                  Filesize

                  170B

                  MD5

                  71f7ee294f1b249a376f37f67e22e87b

                  SHA1

                  486b7a1a1d4c6075b31049c366ffbb34658461f4

                  SHA256

                  6b5d5d6bf785a459138fd270f987406d5cbed15a81eaff4267506f5c2669de79

                  SHA512

                  b693761a52abff7091abc1b2b5a6e4eeb2a194525e4081d3d4c77b30452190402f7b2906bdfde1365f0fc6b8cfba637758aeee8d04bd2ade6d5789a6f396b509

                  Download Submit

                • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\msgid.dat
                  Filesize

                  1B

                  MD5

                  cfcd208495d565ef66e7dff9f98764da

                  SHA1

                  b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                  SHA256

                  5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                  SHA512

                  31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  6cf293cb4d80be23433eecf74ddb5503

                  SHA1

                  24fe4752df102c2ef492954d6b046cb5512ad408

                  SHA256

                  b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                  SHA512

                  0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  64B

                  MD5

                  50a8221b93fbd2628ac460dd408a9fc1

                  SHA1

                  7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

                  SHA256

                  46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

                  SHA512

                  27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe
                  Filesize

                  444KB

                  MD5

                  b9fc6e3e01054e805e0d9c06057e9ea6

                  SHA1

                  02d5867cc43677fcb636faa6dbd87b83dbabe2e7

                  SHA256

                  91efbbac5cbe753836ee1d898fed959cc7974b84f057a22251fe10fbfd3d426c

                  SHA512

                  6b1fe8d2e678dae1402584d67c2fb03472d678d72182ee130f24701ac709886ae2db91916ee45c87df9e3444310315eb14cd2a0607b222f130882d00b8f1c365

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pdtjrgeo.g01.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp58DE.tmp.dat
                  Filesize

                  114KB

                  MD5

                  242b4242b3c1119f1fb55afbbdd24105

                  SHA1

                  e1d9c1ed860b67b926fe18206038cd10f77b9c55

                  SHA256

                  2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

                  SHA512

                  7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp58E0.tmp.dat
                  Filesize

                  160KB

                  MD5

                  f310cf1ff562ae14449e0167a3e1fe46

                  SHA1

                  85c58afa9049467031c6c2b17f5c12ca73bb2788

                  SHA256

                  e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

                  SHA512

                  1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp6179.tmp.bat
                  Filesize

                  150B

                  MD5

                  6f19b9f573264e070bf0ad92dfa5a14d

                  SHA1

                  8cef2109183c044d61e827d2fa7d6d5b67509b00

                  SHA256

                  1abb32f0af8b05e81299442b3fb556d0cb79a0bdec6728a438be0f440d1f25bc

                  SHA512

                  28f07d52be82ed93a867481cafc16268fb0438db994aec06d125f4c149105cb6d46f690e2c29771cbd80a42962181639caf081526c34a7b582898318e86bffb8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
                  Filesize

                  8B

                  MD5

                  cf759e4c5f14fe3eec41b87ed756cea8

                  SHA1

                  c27c796bb3c2fac929359563676f4ba1ffada1f5

                  SHA256

                  c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                  SHA512

                  c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\update.exe
                  Filesize

                  247KB

                  MD5

                  d3b88d7974e5ef23ed78f97d18fd0f8a

                  SHA1

                  cba12e2cfc60e994fbb7e99317c3130af9a532ea

                  SHA256

                  a39234abb087b986209b4ed86dbecafb50347409f37f6d20f2ca82230c356f79

                  SHA512

                  6e295e1f17e65d7685542304c8846ba076e4a52985a8cdc342cfa2969453050f6b7e98dbfe4f41247fe5dcce1f191daad42556913e04be0cc5a66c83909ab2b9

                  Download Submit

                • memory/116-3-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/116-0-0x00007FF95A9B3000-0x00007FF95A9B5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/116-1-0x0000000000810000-0x0000000000854000-memory.dmp

                  Filesize

                  272KB

                  Download

                • memory/116-9-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/116-8-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/884-346-0x0000000000400000-0x0000000000597000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/884-381-0x0000000000400000-0x0000000000597000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/884-465-0x0000000000400000-0x0000000000597000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/884-440-0x0000000000400000-0x0000000000597000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/884-421-0x0000000000400000-0x0000000000597000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/884-400-0x0000000000400000-0x0000000000597000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/3232-17-0x000000001C4E0000-0x000000001C4FE000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/3232-127-0x000000001C0C0000-0x000000001C13A000-memory.dmp

                  Filesize

                  488KB

                  Download

                • memory/3232-170-0x000000001C760000-0x000000001C7E4000-memory.dmp

                  Filesize

                  528KB

                  Download

                • memory/3232-171-0x000000001C500000-0x000000001C522000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/3232-18-0x0000000002470000-0x000000000247A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3232-16-0x000000001C5C0000-0x000000001C6F4000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3232-331-0x000000001AE60000-0x000000001AE6E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/3232-15-0x000000001C540000-0x000000001C5B6000-memory.dmp

                  Filesize

                  472KB

                  Download