asyncrat | hxxps://www[.]dropbox[.]com/scl/fi/f8yjqqhzims4x5eh9gnvu/ForumeStatementFile_xujfCBGPhnAgyn[.]zip?rlkey=y6psboph2fvpd1velgx27dfqb&st=gjmanv3y&dl=1

Analysis

max time kernel
359s
max time network
359s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/f8yjqqhzims4x5eh9gnvu/ForumeStatementFile_xujfCBGPhnAgyn.zip?rlkey=y6psboph2fvpd1velgx27dfqb&st=gjmanv3y&dl=1

Score

10^/10

asyncrat ramiserverngnet discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

Xchallenger | 3Losh

Botnet

RAMIserverNGNET

anothonesevenfivesecsned.ddns.net:6666

Mutex

AsyncMutex_k2D8ja65kBaVT1RR

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
59	3164	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4384	powershell.exe
1736	powershell.exe
3548	powershell.exe
1060	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 436	1736	powershell.exe	141
PID 3548 set thread context of 1136	3548	powershell.exe	149

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133686439280611004"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
368	chrome.exe
368	chrome.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
436	ngentask.exe
436	ngentask.exe
3548	powershell.exe
3548	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
368	chrome.exe
368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe
Token: SeShutdownPrivilege	368	chrome.exe
Token: SeCreatePagefilePrivilege	368	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe
368	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
436	ngentask.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 988	368	chrome.exe	85
PID 368 wrote to memory of 988	368	chrome.exe	85
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 840	368	chrome.exe	86
PID 368 wrote to memory of 2700	368	chrome.exe	87
PID 368 wrote to memory of 2700	368	chrome.exe	87
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88
PID 368 wrote to memory of 2100	368	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/f8yjqqhzims4x5eh9gnvu/ForumeStatementFile_xujfCBGPhnAgyn.zip?rlkey=y6psboph2fvpd1velgx27dfqb&st=gjmanv3y&dl=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff95457cc40,0x7ff95457cc4c,0x7ff95457cc58
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,3892294579054638038,4489251534222193071,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,3892294579054638038,4489251534222193071,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1812,i,3892294579054638038,4489251534222193071,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,3892294579054638038,4489251534222193071,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,3892294579054638038,4489251534222193071,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4680,i,3892294579054638038,4489251534222193071,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,3892294579054638038,4489251534222193071,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4856,i,3892294579054638038,4489251534222193071,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3248

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ForumeStatementFile_xujfCBGPhnAgyn\ForumeStatementFile_xujfCBGPhnAgyn.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:3164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$eksdmocc = Get-Content 'C:\ProgramData\TestoBronic\eLLLLLLLLLLLLLLLLLLEoJR.xml'; $metrooooooooooooooooo = $eksdmocc.command.a.execute; Invoke-Expression $metrooooooooooooooooo"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\TestoBronic\AMDaKLloQIIfldh.vbs"
    3⤵
    - Checks computer location settings
    PID:636
  - - C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" session
      4⤵
      PID:3524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:5096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\taxtrleandiablo.bat" "
      4⤵
      PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\pointaudioremoteend.ps1'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4384

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:4548
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:2536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:436

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:4100
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TestoBronic\AMDaKLloQIIfldh.vbs

Filesize
1KB

MD5
09fe83d38a369938c9d0d580212b5e4a

SHA1
27c00aa8fc89d22e235fba8af8ab98b8ec2794ca

SHA256
124a1a0f5af4a6c7abaf01f15cfd3bd0ad1f44264ba77f8f9b7a38017257fb57

SHA512
4a0f6a69ba3960ff7f4e3d00ed6b62303ee680a8a68dfcaa1b33300bd0f703153b584b1724188f02762e0ced404b5cefb7d6264da2cf27b93af99d0a29c7e0be

Download Submit
C:\ProgramData\TestoBronic\AnSdNslImE.txt

Filesize
8B

MD5
a8a83092504aa294279bdbdb91c2280b

SHA1
44fe829e889e425d3e6331e59ed125db05f60114

SHA256
e37276070a49392777dd5f41102b47528a0e6fbf122b898d8eda2f0eff5c488c

SHA512
187c89189980e96f05649a0d2897fa06bca0997c4961ce80c1522ea324ff1798ade34cd032abdd5806bcf9e082f6dd729ba8cb60371e82595083b0547bb1c5db

Download Submit
C:\ProgramData\TestoBronic\BlututhTathring.bat

Filesize
1KB

MD5
1097486dcfade1658f073bfcea3eeedc

SHA1
a25078a6ca45446c6037b483808e5a10c6b3a5c5

SHA256
faf33221b3c83d7cbbd490e29abd565e3b6d4e1f7dfcba496a3ff6e24f247696

SHA512
5dbebb420b998f5ba4782fbd757e34b9fd0b64a031eb316c7321c7eeabe4156b18bffe0ea2f50c631a846f7861d1da226b75907384e93814946f1fe78e19a076

Download Submit
C:\ProgramData\TestoBronic\DOkQjHJrhL.txt

Filesize
109B

MD5
66d8433a26fcb81efd5d81bfc25aebb3

SHA1
c7eef08d6d6b48ce5afc82df961833023ad6c520

SHA256
7ebb3c89be1d4604928e331787077c5bbdf0d3f74a76f35e29d987849df57774

SHA512
cc0bcfa6e32c98eb758d7a8707bc39300e153f64dc07c6a7c6685319c777da9361496e75636541d0dc649a661578aef73f823ff79acaa93863da2fcf87c71dea

Download Submit
C:\ProgramData\TestoBronic\HFdylsubIE.txt

Filesize
6B

MD5
d50aa5a0aa6fb79dc44f50361b6ee966

SHA1
d604b84d1ab9daa283a5c1515a4ce9b61030c4e3

SHA256
0fe9e9f192e9241f9dae392b5ffd38489f4b8d1a6f3f351ccfb167a59e4027c7

SHA512
d308aa18c5a5e4e13f273674e407ab9be8c5a84e165809cf4af8255349ee2bfd3a0e5bb3a0e850dd285e654c9dfc9e6940f210ce341aebd9d2c9443055ab698a

Download Submit
C:\ProgramData\TestoBronic\PHSUiabXYD.txt

Filesize
9B

MD5
c1877b9f865e274a965e39183b43033e

SHA1
60e4f44ccb38950a5442cd31e70195ea781a81a4

SHA256
f1e6cecec8b3f209b1b1d27605443614a18985c2fc00be9d0a1b6910eb4a71d4

SHA512
1085f3e2ef62183048effa93d9093075e3a67b2b1236024b7afad7055f5c81462ac5810441e890fdc8c313d0937f00fc213402a32c637ee5362bc8a8900b9da3

Download Submit
C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1

Filesize
1KB

MD5
3e335a9e65a609766a4dc676c565dc1e

SHA1
e223b3c78453bb087167ce7819a1e1ee2b470e58

SHA256
fc473b61cff251b54fe689fc786c907e8ce5b8a2e7b315501f1212fcad56da11

SHA512
b9eaa7a438c9061d70896a5e56d53d0a798ba5813652911db9b3a5bb19c596c5c7f4f675be548b401cb81550953bee4f767b0f503dee265f97914c2f9037b22a

Download Submit
C:\ProgramData\TestoBronic\VjOxUxUTJX.txt

Filesize
11B

MD5
7eb2561c37ed8d10de3ab8fe0b46b581

SHA1
0a90e7861b4e0bb8b9f3166a04bca3dd2d1038c4

SHA256
c0565bdf0b7522c48fa7fb2f8f0cadef11191228fe26f11921c9baebca6842aa

SHA512
304ed7a759c7c4f3746e78684a8f0681032794c1d49440f0a16f012f8f8fb6b92dcc51e421d53241a33b909cf03139d210aa8377432e5d4ef4445e77216b402b

Download Submit
C:\ProgramData\TestoBronic\YUidWkHyEUbuNmXmElxk.txt

Filesize
192KB

MD5
a5ec386ad116c48f9f650027ea995d58

SHA1
826968d2ced30405e8a253931da350acb8e7c284

SHA256
8cda078872625bfa8fa165d6193762a47f196b6ff263e67471382b22a2e2a273

SHA512
b08202550a377c3c012435318d211ba128b6d529cba9a6e39a23ba03cdcda080b0f8df5ca5cf6b8bffc276e7f02585a411f3e51325581428fe021861acf7829b

Download Submit
C:\ProgramData\TestoBronic\eLLLLLLLLLLLLLLLLLLEoJR.xml

Filesize
491B

MD5
65c02e6289b6a5e7395bfe28870e2a5c

SHA1
3c818c46224bce01b9ca0cee444166e1630bb542

SHA256
1e4d2b20c4693352fe3c07287a7b0b23283dbc461fb2b4ff1b2f312c35cd83e0

SHA512
0848934fbef4e1eda4676426bd1093a0793c9f784180e9abd6220673571fdfd811dc5883fbe30978aa0593aa582a8a203e6150e10fc3ce32f9009919aee77f2c

Download Submit
C:\ProgramData\TestoBronic\eUZRNqZIFx.txt

Filesize
11B

MD5
d7d88fadc06a17853929346eccdc02fe

SHA1
823c64b6228f44d83ea5be619acef0794d62be68

SHA256
2c7a8db7972321f75201aec580d66bd55656427f8cb8af28cef152c1c25426a7

SHA512
4b68e0d9a175e6cdfd301b090f406a27e404800969431fa2996605a0f45d1b6c310e4daf58da7727bf3132a5bb2c072073e9508492dc46a9d94ac19bd0e1763a

Download Submit
C:\ProgramData\TestoBronic\fZtORcHsbE.txt

Filesize
48B

MD5
6a78d6d1e7c732b3ea101e1a51a1f41c

SHA1
50bffbda1bafc5c7878e90ff6cb7d284134aca31

SHA256
54fcf113baec3b38b006f15bb5775782076bd37817164b46973ea954b4901b5f

SHA512
099542cc4d3ee46a2317f57ffa000dfa4aea5da8babb8d9e3c88a055422720b56a2896dc8dc91734ece3c91021f63f1b2a81250642513341169873c58ef0f0e7

Download Submit
C:\ProgramData\TestoBronic\inst_tronic_dll.vbs

Filesize
1KB

MD5
0ba4c2427b752c7315a05428a6eec521

SHA1
3ce6a1bcfbdac6f334800f9b8628b76235015d24

SHA256
7c2ab36c4db4cb30fe012065dbf33ffbe93657f199c01b2c673dc11665bebcfc

SHA512
9049a8ea8f83659b1b34d3e9a0f15f7bc6ad034702e0d98a59205a5101e73c701eb5bac0386bbc313a23edcb7834201f686e1b293358eb8bff4f9e6623ccaac9

Download Submit
C:\ProgramData\TestoBronic\jSrlfsdoMx.txt

Filesize
35B

MD5
ee5fdd013bfb29adebddd3e5165a2014

SHA1
eb9ac04232bf40d1f9a1e91a0cd89bc83e87f979

SHA256
f99af33f73309301d2779d10106e274b99ac9bb98403c2969c6f25134162baf1

SHA512
e041ea8513b2636aeaceecafa2d0e7e6c83e41651a79bb4f49005841ef2494fca402df2486d47329e1e53013adda7fa2c3a57090df7db763b43b9dfa2ec149a1

Download Submit
C:\ProgramData\TestoBronic\jbMxIHqutB.txt

Filesize
9B

MD5
c34a6bf09e7f7444048f907d78503140

SHA1
2bbe95da04878a156d2bdeda387b4082f288461c

SHA256
08fb9026b4c0dd64cf4e848e8dda726d8cd4aa8dac8c9e6216aa271c1b8eb342

SHA512
936be892183313d2672caf1b1cc6dda27200adc83744c0203c767ed7f7c3758824738322d448f1b8f56cba37168a1424532b74b1a6c650b0c7bce6524c9e207c

Download Submit
C:\ProgramData\TestoBronic\pointaudioremoteend.ps1

Filesize
746B

MD5
6a366453714e4ccd8e69115ef2a31da3

SHA1
81db8831fc76e0596d2fd80b7df4870a516962c8

SHA256
f75c78b95e630bd11e37c52f67faa2d3283dffcaa6c831b29b16003d04e635be

SHA512
231e17f38eddd08dd34d032a91d84f79cc7a1b09950240fc6843592a6347c48ec0bda8544a1c4c38d544c5054a13a404340c08a3cd0e49ce40a1ef900024200f

Download Submit
C:\ProgramData\TestoBronic\taxtrleandiablo.bat

Filesize
1KB

MD5
c58fbd68b2415b94f7a60d46ecf347e3

SHA1
a6d6320536df7121157db1401dfccb25f5ae3296

SHA256
65f928e25053ecdad6445db572acc7a0977b033f40f6ad8da5a0645c12be7ab3

SHA512
81d6e00ff648061aa6d23e1f9e50605295b469de9e1c981546920b46d397280cc6e9a3c98d8fcb5358c0d2e467fcd5b989152bfcda10813cd15ee16a2d3f0100

Download Submit
C:\ProgramData\TestoBronic\wIyRrpjguS.txt

Filesize
508KB

MD5
45ea14e8e0aa31913c128e972c0823c6

SHA1
50befd38b9ab1c3a050321bc2421cb5347d0e884

SHA256
dfceb259aaed213dab66650172013d6dd3c27e2446a4d8680fc68a605fbf143a

SHA512
f1263275ff97803b175f9bcf361ea2704d82f73fa87a69e8fba9f37afe4e6531cf7d884d6d26ecfcdd3e4cac663fd9d37b5350016eb07214fd624847b0ffb238

Download Submit
C:\ProgramData\TestoBronic\zPlnEWoizAnMbcevBsqO.txt

Filesize
464B

MD5
2ae925264eb587bd76d3fd153daed9be

SHA1
5a6784edfd728f1bf7c17d01d833082cadc46c9c

SHA256
7849f2a852f68663b3ed7960a3f3052a4f43ed4780b234ea45f0a550a60678f6

SHA512
e782c7683687e657b67046847b46b91f8047f8fda3da7b23143a616ca8d814d044b47a6f29c400ee27f4fcc2a7a53b620d953efa1b017cc5e1695529de299db4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e51f0a65c2d38df39053d60daacbc45c

SHA1
f58a6fa801e48e6c4efaa63cd205cbf8d0ac67aa

SHA256
d6c03c7b4223d788377d68a8bf5beb8bdcadc53e904ef8ae37103c8a5e2f71ca

SHA512
70b440fde5f836853a3a6f8033f3dc7a4971c86406eebdc05697e5de9a331537fff9b6c99820a360d2b595cec795e1c54445bf8efe5fa7f462f1d7a4de462933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dd0a9293b406db87e410c8364b18c478

SHA1
403e558b0743175bcc6e39398590617403a7631f

SHA256
094babf9d87186bfac94c713020b924800c27c806a42d48dc5cb9565a686ebdf

SHA512
93a19c756a0143be9f73914908186ab4bb205cb4c13f7a6bdb3a522f50015f35a0d8c4a0c13ab96b0971c0eb5e4366aae5cdbabcc64934dd8f6607d450869317

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8693b65f8bba6dccb5b9869979ec2654

SHA1
435780bef9921d246b8ab1c6b5008ef7559cf81b

SHA256
8daa7ec8fd1931a2582e344719c2ab8d363cdcb9e4cb8726f8f4267e7b6335dc

SHA512
afa47fef3c879bb4b1d453a191b3fe94f357c304fc90168038e2ae533b23b28154169a72dd08c61278e9a24c159bd5f3d9fd9f909eef5ca6de72ceb940b64575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
b2f8bf690d1f35bd2af024649b3bde62

SHA1
bbec72ab98c68c3f9ec2e975938006e696444743

SHA256
9c8999ada275dee6862b15d3769c3697d3af699d8f52758a0b9c7a67b55106da

SHA512
48e21a52d4fc32ddd8786a1a6f9cc9fe9870cfcb942bf112a6b0c5ef64d5f8ceb301e54c6bd8bd6f361f6377a8264728e9fa91b802879350114e55f1b4bb0626

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bd5418aefa767ef99feb097c58f52014

SHA1
6ef974d3f240ffc63d54facf079ecee904037b31

SHA256
c8698d82f3d91a16c073f0bf74c2e11c4fc6aa054c003d4208cd0b6acda8287c

SHA512
54e9ac9a27436678e4031095ac2d7cce2aedb135443dbc046e678d0cacbe54e4a0824537c7bc558b4985d9d4f0bc629e2709437136b170c89c7c4572811d5ccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bbf1691cf68062d6aac3e0186d3f9575

SHA1
df3da03d18484811e3679ec0459676a12d98a1b9

SHA256
6cd42408347cf50936493b7c4f27e288a2078380fee9f4625f1c661fe0aff700

SHA512
23d3a491df7ee011824eb578061b333e8764a4615577870c838ee9354be5e6dac97d6063e2626dfa7157d638730744c98da1a94b28d1ca1c74f04210a48976ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f457d8422fc871bca533fe76d32ed1d

SHA1
1b14619e55bce957aeddd366af5457385eef0425

SHA256
8217ef98bd282ab22ce986535ac3b2078f425081479c9d2728dffebe46706cd8

SHA512
54f931021191a5efc87291bd6a74e0a146be22794207c8641838024e01593f44ea22ef07267bf13d34bbc350b14cd056020adf86feffc8cb6a1ccad68e08ebe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f39c33962f7c5a6148cd3e5da2384e91

SHA1
955726dc60e27d3fa925d94a6e49332577af6b47

SHA256
72f6e1e39c469c959a4dd89d746a32848d9bfa7f17fbd4eeda46d5f2565a53cc

SHA512
20f1ca2e18c863663a8153ec71bab44debb6a5b1311a89dcb95b0fb1382cce7090aedeb629b51f7f67d62ee20be6b325bcb33fd86f3412de37d86893c42b2fa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5110658f5207daacbb063d95d827ff2b

SHA1
cc3c93cc51bdd343b7d12ec60f0e1816754d5a52

SHA256
dc16de8221b404fa3524e65c360c1462d8975d13092bf87311f53ca331d5e143

SHA512
3ac4d2786ba0e41bfd2f0fda6eca1230aeb1412120e3e826b05ef569f195e23f2bf83344ed2065b51032c661dbec12f70fe326846777b3ebb04d6990c06ea4f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eb24f3e98d33aa8b8c0f69c4535f6e1d

SHA1
a00e8b2f3b0a5ae621c9c56e274ef7ab1e77d3c9

SHA256
d56ab888e7c4cd2cadaa4396e637a06c1ef95cebdf3538f2ed997c79047e01db

SHA512
f01ed723541c1951cd508402ca9b61df0dac08e4b43905f99bcc69059e4baf0c6c21fcd1d1215371f9957675e78287e36f4de17d75436b9c7eb2d42fd60cb15e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b70beaba4c519ce06fd7704a4c2f0890

SHA1
e37deb0336d150f8008bb4a95ab2cf6efcd33e59

SHA256
0a19c4c04360012bd277c5bbab0162d9a500938509056e530797446a0990ce1c

SHA512
12629d1d1e78014977447129dbed51118b9852f57580cda4cb9d6d69c13db3c63b72d59eb468d801dec4ac84205405a0dbed2f0a8c1113bff140852879a19bee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c672bb62fb6e3f97f7957ffd815710bb

SHA1
683b3fc48928547bec6eba10e2ab6ddf8a780773

SHA256
309b1fd3d77365e0a3ef4147006075f3934585c1a6ff38a92d36d35dc6e0f7a8

SHA512
872acba7dbcece2efcd6b25185471af44326a962c62632d9538faedd815a5ee7e7215e7fdf1163357b0930ab1b7b7eff215411668ac96b2b2c53a672b1793a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a72c19f8024c160d5ccbaedbed6b5710

SHA1
a8f283bec096aaed7470c739a65038c47ae3bd14

SHA256
f3e1a40a2bfe18cc7fc4b8318bed6666aa49c8a46f216647af4707822763c49c

SHA512
ce6aa2bd22f2b1a5086bb92243873c704549361a9bfec143a65724b5ed233e697c5f10febc45d8260f2696d4ed72a935c6df6029c55f9c727be85f61ec76adbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f87925ee52f19488ef58e14b243ead8

SHA1
aa7c174ad8611538b70ed200372ad3d025f7bee1

SHA256
d9aefdd727662ef4cfb620b631bf24bae88200b04e5966c83dd759db94ef034d

SHA512
19bed97a90ed644b2ddf9132b10c507d71593e2aa7411c7db14b2c241a465860e9a2dca92f584ba58b8e6ed490ff54fd24b1acc86554f8cd0b0096316426dae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80c68fd20fc06bf9c44e61f9e2ff008a

SHA1
38a8b4210bb372f0f304079bc1222ef6f805a311

SHA256
b7ef892c7f631e2ba49254cfe1fe5e8de05b66033ca08f1b594f04fb19ce1ce1

SHA512
f7799bda5d419f9b741bd1000e37527f8f162b7a106187321b432caab98fd9684e6d81861a8ec3dc9ed2847239d8b7e0e4e4daeb8dcee1f82af256307286f3ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
827f4c75dd7d3a4998083d0589874123

SHA1
58c7bfb7f7387bab49f952aa498e6ae947d3c004

SHA256
05d2f2463489524d727f3b21afe722d91522277f1cb100b2bbabcb6275c669fb

SHA512
9fa456c8e93fe27d6f5a38501818535caa7b39666851b1b8fbc7b9e9dc6e5f468af797ad2c03ff4d546e9e3e767c0c1d860d237f8356b30b41d4e7f280c053e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17a308bd4d077882abfd9dce104c34cc

SHA1
b47cf638e59829c591e58485c7ea7b6450a7b01d

SHA256
fb784931a8b7e57da976b9e704425411c91712d9e6084f53ae9aa48adf6cf4d8

SHA512
a9b6e530f563c86148e8f5bb579350cc8fcf5416ffd3199e7a2b191cf8b77353dadd9595015de46b3afbac6c3ae8836dacb70c9a69a2b3238fd2732576f848a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
50ec2363ded366268d3a3525008b92d7

SHA1
3d6b008c7ff50382c90b7b32e5c4de77e0c33e50

SHA256
0c81ea664e4e89edfc3339178e101296075faac4f86b58c26deb70f9a57f126f

SHA512
082dfbd562fedadfbb708f821acd7658c1e23dc666044df838da8da559617ab4ff53d79a9fcce2252ba358d912870b02b24c2155d398194f3a9cfc5abaa876ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5dbb1ec599d3435cf905792471df7b0d

SHA1
b03f519b44c54bdd66122e64fbb12fda29206044

SHA256
53176d18ec1ef5e9944939a162a04844e478751db85c0de185bc95a187d147b1

SHA512
8fcdc9d764d4d347877567705578665c634ce68deffe9113fd83f9092c2655f133e17ef631a4a590a2f6dc659bd468eb52da5e7fd218e81cae8acb529571aa08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6697dc60c70e9d2c24331f53133620b7

SHA1
58735769ed1e98c4705f9984bc80c4ad562fada0

SHA256
6afc28230e3b2ff763dd2d7d38933843a3d73b9709daac2f46aaaf0af2ef1a45

SHA512
537ebeee46b54cea8833ef171329de5d3543fe76dff8ed221dd4a0b316473b2314a27931f318dce554f89360ab009ca48a623a842594bab0c172089ee74203e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1de33291dd3b377f8a021a57e871ed73

SHA1
d5ed0a47c2f8bd69cbd15f4917454a94e53eee67

SHA256
bd0ef7593430b02aad96f78f340fe581cc7c032890b22759939e4561b7a5f9e4

SHA512
0f6d9c6918f2b1c76430bfde69fe4b880d5d297f2f16264016dd66ae075c3fa51c6700c33b9df190cdbb9302ca3d140a1d15386ec23948cfa4262dcc1cbe10d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5648fe3bdfb4561dcc6424766b3652f7

SHA1
a35ffe862b5027e14b8e16b98551d0e971236739

SHA256
7ce3e573a4cb0d9c1627304a7ec2fb2e4bc4bb33e4ed6af45b049e3db5b84d49

SHA512
b06a8f8eb6e52f1b2de4186d14e450bf82a0bbc2e70b914be48630568b267a42c104fe6b9552554e215361a3e6a36a048e66fccb692aba615ba79d291e397c5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
55113a28bdcdc527b2ba115b0c9dae0c

SHA1
ce6f2793a2bcb8cc7570e09b383e5bb267ce7b5b

SHA256
95fffc66c6b7456201db51cf13be5c6b33d48d0b7c91db68af73acd7d19f8a3b

SHA512
8c155d1bed0e9eaf126329d9abf018d48dc6c134bcba2d8449baff168ca8e074970bdacc378345e3f574fe738bc7374b96daa2cfc2757a5c74612bbaa8816558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
aaa2bc1e722b3524c622a8866095974a

SHA1
70922085f0f31b9ba5c727b657267835a7c2bf6a

SHA256
099624c5a36403359d60974dd32d346870f2625eeb7ef1f4e7329c5eb3cc0f00

SHA512
6ee31b219e79327d055184751e69526ded6b672fbc7a7ed2d1d170dc83947d08c5a0279cd3c43caef7178acbf0b506ca9dc0c3b81492af46246b511c8d9cb712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
dd6085af47993de750fc1bba39e02d75

SHA1
c83d868735b3170ae109cacc1163ba647ab3e5b2

SHA256
847924eed8197b381f6dfe87f2f1ad3d6a4ea542e5afe291e3e5144419ba28b4

SHA512
9d50ba6331a1c5b1ae6b38bdee8e8bf871d63c3245b78b40d6287b9730e862bd731f99e1956ddf28db819592b35b005824b078535de2a0003523ebd8ab62c59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
844a2f44adc115e3b8bfadf2f34a86f5

SHA1
04ffc596b5299997025b168a90dba4eaa508eea7

SHA256
23a26afeb0648593c2e32f6a0cbf6a9095561cda2525552a437e5ea2c6072ecc

SHA512
26de17e556dfad292ad2ffe0b65160c0e5f8edcc0b9368ea562f5e376ed6031432e5f1a4d6bb91f46cb754cc8eb8e4676dad6031c32cd32c7ec090a3799ee9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
066cd80d59bb1a4da5b5e87e29dc4a21

SHA1
00407c45cb488dd4bdd81b48ec95e3e010aa71df

SHA256
57cba8ed6e2c90a6c307f1d3aa452d2722eb43e840fb1f91f73b5fed3a502594

SHA512
75d4c240553ac6e8c372a811b15490640f3147a62b363efefbc2226589bb901ba826a472fc8a7c52e00eb16c430e035765c26896e5568ee485ebd8a93e0db322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9b62672a2e87116cbfb1b09828c66a5

SHA1
01561bc6c5de310dd6018fb55d59a29685d12840

SHA256
c4e7e22b172886eb3bf7cc99dbba1d632d0d8c291935eabbac3c25fb326f016b

SHA512
0f79c3471745e2493a19c93fe7d40f5fc7cf3fcbb9ec82cf196868e21dfffdbdb905d5523b6d0023dea721e977e210963f48a6f140259a18553b9e7d5a3c70c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gumh4gxv.yu1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/436-269-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/436-271-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/436-272-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/436-270-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/436-268-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/436-266-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1060-79-0x000001CAADA70000-0x000001CAADA96000-memory.dmp

Filesize
152KB

Download
memory/1060-80-0x000001CAADAD0000-0x000001CAADAE4000-memory.dmp

Filesize
80KB

Download
memory/1060-99-0x000001CAADCA0000-0x000001CAADCB2000-memory.dmp

Filesize
72KB

Download
memory/1060-100-0x000001CAADC90000-0x000001CAADC9A000-memory.dmp

Filesize
40KB

Download
memory/1060-68-0x000001CAAD700000-0x000001CAAD722000-memory.dmp

Filesize
136KB

Download
memory/1736-265-0x0000026E23960000-0x0000026E2399A000-memory.dmp

Filesize
232KB

Download
memory/1736-262-0x0000026E23DF0000-0x0000026E23E66000-memory.dmp

Filesize
472KB

Download