asyncrat | hxxps://www[.]dropbox[.]com/scl/fi/tk0omas0v34lb2cktmns6/ForumeStatementFile_DqwpzdJFmHAKxq[.]zip?rlkey=79s6qdnif5b0m1y2qcgohs60w&st=6vv2vper&dl=1

Analysis

max time kernel
359s
max time network
356s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/tk0omas0v34lb2cktmns6/ForumeStatementFile_DqwpzdJFmHAKxq.zip?rlkey=79s6qdnif5b0m1y2qcgohs60w&st=6vv2vper&dl=1

Score

10^/10

asyncrat ramiserverngnet credential_access discovery execution rat stealer

Malware Config

Extracted

Family

asyncrat

Version

Xchallenger | 3Losh

Botnet

RAMIserverNGNET

anothonesevenfivesecsned.ddns.net:6666

Mutex

AsyncMutex_k2D8ja65kBaVT1RR

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
41	1652	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4368	powershell.exe
3672	powershell.exe
4952	powershell.exe
4212	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 428	4952	powershell.exe	140
PID 4368 set thread context of 1772	4368	powershell.exe	148

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133686440945209703"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1052	chrome.exe
1052	chrome.exe
4212	powershell.exe
4212	powershell.exe
4212	powershell.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
428	ngentask.exe
428	ngentask.exe
4368	powershell.exe
4368	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1052	chrome.exe
1052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeShutdownPrivilege	1052	chrome.exe
Token: SeCreatePagefilePrivilege	1052	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
428	ngentask.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 3612	1052	chrome.exe	84
PID 1052 wrote to memory of 3612	1052	chrome.exe	84
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 784	1052	chrome.exe	86
PID 1052 wrote to memory of 3768	1052	chrome.exe	87
PID 1052 wrote to memory of 3768	1052	chrome.exe	87
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88
PID 1052 wrote to memory of 1716	1052	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/tk0omas0v34lb2cktmns6/ForumeStatementFile_DqwpzdJFmHAKxq.zip?rlkey=79s6qdnif5b0m1y2qcgohs60w&st=6vv2vper&dl=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9e39bcc40,0x7ff9e39bcc4c,0x7ff9e39bcc58
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,6384535471363735976,2529627170562984018,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1604,i,6384535471363735976,2529627170562984018,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,6384535471363735976,2529627170562984018,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,6384535471363735976,2529627170562984018,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,6384535471363735976,2529627170562984018,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,6384535471363735976,2529627170562984018,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5016,i,6384535471363735976,2529627170562984018,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=208,i,6384535471363735976,2529627170562984018,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3800

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ForumeStatementFile_DqwpzdJFmHAKxq\ForumeStatementFile_DqwpzdJFmHAKxq.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$eksdmocc = Get-Content 'C:\ProgramData\TestoBronic\eLLLLLLLLLLLLLLLLLLEoJR.xml'; $metrooooooooooooooooo = $eksdmocc.command.a.execute; Invoke-Expression $metrooooooooooooooooo"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\TestoBronic\AMDaKLloQIIfldh.vbs"
    3⤵
    - Checks computer location settings
    PID:4180
  - - C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" session
      4⤵
      PID:552
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\taxtrleandiablo.bat" "
      4⤵
      PID:4248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\pointaudioremoteend.ps1'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:884
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:4964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:428

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:3216
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:2388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:4952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4368
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TestoBronic\AMDaKLloQIIfldh.vbs

Filesize
1KB

MD5
09fe83d38a369938c9d0d580212b5e4a

SHA1
27c00aa8fc89d22e235fba8af8ab98b8ec2794ca

SHA256
124a1a0f5af4a6c7abaf01f15cfd3bd0ad1f44264ba77f8f9b7a38017257fb57

SHA512
4a0f6a69ba3960ff7f4e3d00ed6b62303ee680a8a68dfcaa1b33300bd0f703153b584b1724188f02762e0ced404b5cefb7d6264da2cf27b93af99d0a29c7e0be

Download Submit
C:\ProgramData\TestoBronic\AnSdNslImE.txt

Filesize
8B

MD5
a8a83092504aa294279bdbdb91c2280b

SHA1
44fe829e889e425d3e6331e59ed125db05f60114

SHA256
e37276070a49392777dd5f41102b47528a0e6fbf122b898d8eda2f0eff5c488c

SHA512
187c89189980e96f05649a0d2897fa06bca0997c4961ce80c1522ea324ff1798ade34cd032abdd5806bcf9e082f6dd729ba8cb60371e82595083b0547bb1c5db

Download Submit
C:\ProgramData\TestoBronic\BlututhTathring.bat

Filesize
1KB

MD5
1097486dcfade1658f073bfcea3eeedc

SHA1
a25078a6ca45446c6037b483808e5a10c6b3a5c5

SHA256
faf33221b3c83d7cbbd490e29abd565e3b6d4e1f7dfcba496a3ff6e24f247696

SHA512
5dbebb420b998f5ba4782fbd757e34b9fd0b64a031eb316c7321c7eeabe4156b18bffe0ea2f50c631a846f7861d1da226b75907384e93814946f1fe78e19a076

Download Submit
C:\ProgramData\TestoBronic\DOkQjHJrhL.txt

Filesize
109B

MD5
66d8433a26fcb81efd5d81bfc25aebb3

SHA1
c7eef08d6d6b48ce5afc82df961833023ad6c520

SHA256
7ebb3c89be1d4604928e331787077c5bbdf0d3f74a76f35e29d987849df57774

SHA512
cc0bcfa6e32c98eb758d7a8707bc39300e153f64dc07c6a7c6685319c777da9361496e75636541d0dc649a661578aef73f823ff79acaa93863da2fcf87c71dea

Download Submit
C:\ProgramData\TestoBronic\HFdylsubIE.txt

Filesize
6B

MD5
d50aa5a0aa6fb79dc44f50361b6ee966

SHA1
d604b84d1ab9daa283a5c1515a4ce9b61030c4e3

SHA256
0fe9e9f192e9241f9dae392b5ffd38489f4b8d1a6f3f351ccfb167a59e4027c7

SHA512
d308aa18c5a5e4e13f273674e407ab9be8c5a84e165809cf4af8255349ee2bfd3a0e5bb3a0e850dd285e654c9dfc9e6940f210ce341aebd9d2c9443055ab698a

Download Submit
C:\ProgramData\TestoBronic\PHSUiabXYD.txt

Filesize
9B

MD5
c1877b9f865e274a965e39183b43033e

SHA1
60e4f44ccb38950a5442cd31e70195ea781a81a4

SHA256
f1e6cecec8b3f209b1b1d27605443614a18985c2fc00be9d0a1b6910eb4a71d4

SHA512
1085f3e2ef62183048effa93d9093075e3a67b2b1236024b7afad7055f5c81462ac5810441e890fdc8c313d0937f00fc213402a32c637ee5362bc8a8900b9da3

Download Submit
C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1

Filesize
1KB

MD5
3e335a9e65a609766a4dc676c565dc1e

SHA1
e223b3c78453bb087167ce7819a1e1ee2b470e58

SHA256
fc473b61cff251b54fe689fc786c907e8ce5b8a2e7b315501f1212fcad56da11

SHA512
b9eaa7a438c9061d70896a5e56d53d0a798ba5813652911db9b3a5bb19c596c5c7f4f675be548b401cb81550953bee4f767b0f503dee265f97914c2f9037b22a

Download Submit
C:\ProgramData\TestoBronic\VjOxUxUTJX.txt

Filesize
11B

MD5
7eb2561c37ed8d10de3ab8fe0b46b581

SHA1
0a90e7861b4e0bb8b9f3166a04bca3dd2d1038c4

SHA256
c0565bdf0b7522c48fa7fb2f8f0cadef11191228fe26f11921c9baebca6842aa

SHA512
304ed7a759c7c4f3746e78684a8f0681032794c1d49440f0a16f012f8f8fb6b92dcc51e421d53241a33b909cf03139d210aa8377432e5d4ef4445e77216b402b

Download Submit
C:\ProgramData\TestoBronic\YUidWkHyEUbuNmXmElxk.txt

Filesize
192KB

MD5
a5ec386ad116c48f9f650027ea995d58

SHA1
826968d2ced30405e8a253931da350acb8e7c284

SHA256
8cda078872625bfa8fa165d6193762a47f196b6ff263e67471382b22a2e2a273

SHA512
b08202550a377c3c012435318d211ba128b6d529cba9a6e39a23ba03cdcda080b0f8df5ca5cf6b8bffc276e7f02585a411f3e51325581428fe021861acf7829b

Download Submit
C:\ProgramData\TestoBronic\eLLLLLLLLLLLLLLLLLLEoJR.xml

Filesize
491B

MD5
65c02e6289b6a5e7395bfe28870e2a5c

SHA1
3c818c46224bce01b9ca0cee444166e1630bb542

SHA256
1e4d2b20c4693352fe3c07287a7b0b23283dbc461fb2b4ff1b2f312c35cd83e0

SHA512
0848934fbef4e1eda4676426bd1093a0793c9f784180e9abd6220673571fdfd811dc5883fbe30978aa0593aa582a8a203e6150e10fc3ce32f9009919aee77f2c

Download Submit
C:\ProgramData\TestoBronic\eUZRNqZIFx.txt

Filesize
11B

MD5
d7d88fadc06a17853929346eccdc02fe

SHA1
823c64b6228f44d83ea5be619acef0794d62be68

SHA256
2c7a8db7972321f75201aec580d66bd55656427f8cb8af28cef152c1c25426a7

SHA512
4b68e0d9a175e6cdfd301b090f406a27e404800969431fa2996605a0f45d1b6c310e4daf58da7727bf3132a5bb2c072073e9508492dc46a9d94ac19bd0e1763a

Download Submit
C:\ProgramData\TestoBronic\fZtORcHsbE.txt

Filesize
48B

MD5
6a78d6d1e7c732b3ea101e1a51a1f41c

SHA1
50bffbda1bafc5c7878e90ff6cb7d284134aca31

SHA256
54fcf113baec3b38b006f15bb5775782076bd37817164b46973ea954b4901b5f

SHA512
099542cc4d3ee46a2317f57ffa000dfa4aea5da8babb8d9e3c88a055422720b56a2896dc8dc91734ece3c91021f63f1b2a81250642513341169873c58ef0f0e7

Download Submit
C:\ProgramData\TestoBronic\inst_tronic_dll.vbs

Filesize
1KB

MD5
0ba4c2427b752c7315a05428a6eec521

SHA1
3ce6a1bcfbdac6f334800f9b8628b76235015d24

SHA256
7c2ab36c4db4cb30fe012065dbf33ffbe93657f199c01b2c673dc11665bebcfc

SHA512
9049a8ea8f83659b1b34d3e9a0f15f7bc6ad034702e0d98a59205a5101e73c701eb5bac0386bbc313a23edcb7834201f686e1b293358eb8bff4f9e6623ccaac9

Download Submit
C:\ProgramData\TestoBronic\jSrlfsdoMx.txt

Filesize
35B

MD5
ee5fdd013bfb29adebddd3e5165a2014

SHA1
eb9ac04232bf40d1f9a1e91a0cd89bc83e87f979

SHA256
f99af33f73309301d2779d10106e274b99ac9bb98403c2969c6f25134162baf1

SHA512
e041ea8513b2636aeaceecafa2d0e7e6c83e41651a79bb4f49005841ef2494fca402df2486d47329e1e53013adda7fa2c3a57090df7db763b43b9dfa2ec149a1

Download Submit
C:\ProgramData\TestoBronic\jbMxIHqutB.txt

Filesize
9B

MD5
c34a6bf09e7f7444048f907d78503140

SHA1
2bbe95da04878a156d2bdeda387b4082f288461c

SHA256
08fb9026b4c0dd64cf4e848e8dda726d8cd4aa8dac8c9e6216aa271c1b8eb342

SHA512
936be892183313d2672caf1b1cc6dda27200adc83744c0203c767ed7f7c3758824738322d448f1b8f56cba37168a1424532b74b1a6c650b0c7bce6524c9e207c

Download Submit
C:\ProgramData\TestoBronic\pointaudioremoteend.ps1

Filesize
746B

MD5
6a366453714e4ccd8e69115ef2a31da3

SHA1
81db8831fc76e0596d2fd80b7df4870a516962c8

SHA256
f75c78b95e630bd11e37c52f67faa2d3283dffcaa6c831b29b16003d04e635be

SHA512
231e17f38eddd08dd34d032a91d84f79cc7a1b09950240fc6843592a6347c48ec0bda8544a1c4c38d544c5054a13a404340c08a3cd0e49ce40a1ef900024200f

Download Submit
C:\ProgramData\TestoBronic\taxtrleandiablo.bat

Filesize
1KB

MD5
c58fbd68b2415b94f7a60d46ecf347e3

SHA1
a6d6320536df7121157db1401dfccb25f5ae3296

SHA256
65f928e25053ecdad6445db572acc7a0977b033f40f6ad8da5a0645c12be7ab3

SHA512
81d6e00ff648061aa6d23e1f9e50605295b469de9e1c981546920b46d397280cc6e9a3c98d8fcb5358c0d2e467fcd5b989152bfcda10813cd15ee16a2d3f0100

Download Submit
C:\ProgramData\TestoBronic\wIyRrpjguS.txt

Filesize
508KB

MD5
45ea14e8e0aa31913c128e972c0823c6

SHA1
50befd38b9ab1c3a050321bc2421cb5347d0e884

SHA256
dfceb259aaed213dab66650172013d6dd3c27e2446a4d8680fc68a605fbf143a

SHA512
f1263275ff97803b175f9bcf361ea2704d82f73fa87a69e8fba9f37afe4e6531cf7d884d6d26ecfcdd3e4cac663fd9d37b5350016eb07214fd624847b0ffb238

Download Submit
C:\ProgramData\TestoBronic\zPlnEWoizAnMbcevBsqO.txt

Filesize
464B

MD5
2ae925264eb587bd76d3fd153daed9be

SHA1
5a6784edfd728f1bf7c17d01d833082cadc46c9c

SHA256
7849f2a852f68663b3ed7960a3f3052a4f43ed4780b234ea45f0a550a60678f6

SHA512
e782c7683687e657b67046847b46b91f8047f8fda3da7b23143a616ca8d814d044b47a6f29c400ee27f4fcc2a7a53b620d953efa1b017cc5e1695529de299db4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bca907455b1e808428c3c72c15784b74

SHA1
61c9c361b28134fffb3dd9276ba55ce30e95b7d7

SHA256
66d7fbb641608d1abcba085fd7821ea5a5e88dfd37c5bf0f412c2d1302f6dc8c

SHA512
bff6c671b1bfa08aaab6a713658410f0bde0d4122547a5b226497c74c834bca4127850bf038560cd1ac61c91e9646cb1d6f7c598bc37204ce1520a68b6ab5dd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2ab17fd5e258ea4a407f9cbf8f8c3a0e

SHA1
77e95612fbd0392a88afb20ef7de8c41ed21c0ca

SHA256
6cb2dc944224260aff8e772dd31c9e6f072730a5c80f84b18e25431680bba1f0

SHA512
08c9acad5d179aa08f07a6522c546087bf5d2f53fe73c8676d759591ddcac370f8a4598782afeadb9a8d589ae8d6f9f9765072dff2b6b20925c8e5c71eea7ec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
24b52d1fd8ec762b499171bc971f0cc5

SHA1
05572ce8d9936d921a06ad33536a9341cb4bad0d

SHA256
cc5e99b410bdb8c4ab4bbaaab18714160b155da7d3c2c392f72c3000ccdbd53e

SHA512
f3678a4cba041ae6d8ae7ab865fb300ebc9b4b3cd8dc057db6fc5398287dfdb0f95ea67051799a65a6235127fb95f9103dddc4c9a9d76ed4e2a8e30211d49b13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
0da5e3305f2ff8d9a015e207b11377d6

SHA1
ada52f82bc81ce332cccbc926d7a9d83ae12c277

SHA256
86459ae1bfa035a32eb87fedd00dc481c50633aee64fee18fcd512a38291c76f

SHA512
4fb6bd27a2f0f45bf6eb19923770eca3933258578b29d67949bc6621d3fc8746611136979b9c5ac7b9010dc203978563d0dc14fb1d8116aa30554a3703b3bc0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e3598526a9c781789dc3e8578233f55c

SHA1
bed4ec3b3514c5eb48d83414ffac36dc4fe954bb

SHA256
45dc0af88473f524064fd5e29333431eed2aaec127e3a004d18fc9ae933f8970

SHA512
d267b80101d8328c697cbb39d447742f2f72278245cc8fb4a04a6291d5a22e31fd1b1fc796234d3a1648e8e5bc24b59c05fa8c46678214622e920d3fd400657d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7ebf3b540249c9e5c8b49b0211712703

SHA1
896ff27a506b738fb0f56766622e998f2e4eed13

SHA256
8b23e1ec6f207726ab5577400d872509b7f54529feb05daccd1e94eddb7c4620

SHA512
b28070735dccde7156651f58669a55ba5e51095cdfc64397128e144b9ad6a03f317037d3d13cbdc3d947c974bfafe93bdc0be2f7474b594e81fe3f4983c6f6f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74f1055f6247c4f2e0c2a2f99e395280

SHA1
5f69648b562fa62bfb062553b382eaa94cc001e2

SHA256
3b521a912c9e4720e46f9f04e553deceda8f5e42fd7e69ad64bf3209f5798f17

SHA512
0a34c631c1c4c89cedc2183b8712f12a18eb2cb271ff7e76d57b0523dc53e4fd4aaf2421e69f3d338adffdb4414658a214c31873b6d916e480422aa0f41c503e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbc2d4ec801368f601cc5047aeec9eab

SHA1
0e3519eee93e89010245930d226c56fc503ca174

SHA256
4fede24f49113674e7b7867bb7460ec4069e7c7c72d5aa622e889653e6fa7f5e

SHA512
5f119dd55d85bf90dd8f01e99456b979378cac797840e907d4243136db4b4ddc344354d950eafa40a21dfba41810935f8785e7e08c4604287d3f66a95a0e5fcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
23dfe51deefc73255e68a732c8b28569

SHA1
1fe4d2830e13af72b93e90c1c579bd46a17024d1

SHA256
dba03f792a447fb71a534cab18031a651472b9abc0b58a34e4eb3bbd85a61d48

SHA512
48d35b0ba20921219d342ad4fbb306d6c961e6fa808c29de655856e7c726eae7a973338fcc3238e72e9fc2c363af8d786dcee9a881eb73646d771a63f89e8f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1976c5dcc0fadeadc649f3fa9373ac6f

SHA1
e139eda77a37fa57e45bd6b18f1bbaf08412c0ed

SHA256
066a313393cb0fde05ddf353f0eb7f01fcabbe77ff0beea00c5a0960e801dd4f

SHA512
d48a2913a96436416fe9033a1a23baea8c93f5b49aeac034550e05d3b46d563c3540831b90197012757dc1519a230833e544a4d4b2ee7648bc1b4ab5f6da353c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98450c12d0feb46745497f154340e50b

SHA1
78fa8a26ed171079daf4c28efbebf87849bbc530

SHA256
4420192e337932e6889a72eac55f0a96f024a1d085e29fc63a2f5f8522914db9

SHA512
5c0b6875341722d1e981041f83b615562fe2693b0f464ef077ac3f2b95702c26889a563ab8eb4602b3a5fe46109f2380c6f8890c865b68ba60c039e39fa70d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddc18827e4530eff32125c165fa4639e

SHA1
3fb6d6e8ec55cf1cc2960141a507c5194b6f2221

SHA256
59153ae0437138afd37bf116942290ce4ab55f20cc34f036aa4a34c1e98d87b1

SHA512
c00684e57bdaa516ed1c56ba0e82cedbeaa9768fcfe091833c2038c0f019af6bef180c2ac13680b7aeac5708cd5da233e93be28ef47f58555fdd3a846d09dbf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e514b5befe8c275c9a1d776ef05ec0ad

SHA1
dd64094d73d8ed087a891a704057d617d0af1f65

SHA256
34fb645b63e6ad3d75886fff02eab93221604741f79ca01166342c0d08295070

SHA512
8b7dc2da2133ae49fd4263591f961e4763d91542bf4490454f9b42a81069dc65e6172f12efb1d7d61df2f9e77bd47e982190b92028bf999f86802e7ec210d6ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d165bb089f056f583ff27bc50c2d2f15

SHA1
fb5c22bf7ed7fe24d34ef6d68ca763682bb27d2b

SHA256
8984551211d891a4a27e10b97f42de55da4a231ef8c48d8a6c024aba81669c3f

SHA512
a24bc99baa60376a0e417acab72849467beb8df6ee025b6b532d1772b104c54c33923229e214b660b9d7383cd2c4b5709b3486076a168abdde6dd8f7d99d33de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3ba80aea53695c21031e2707167c0d2

SHA1
3373142f8ea53f9f1f3257d9509f341724620e08

SHA256
7956adbbf11fc877af4b907b1971c20ff7ec17acd2711b38582b6e0f824869e0

SHA512
3b8be812477b677e1f7a1a29e8f54ab0ff7d7f3bb68f7cbcf1f9f36a90e9f55d3412c8ab575d945ca0ba2e9ae01260f4af758d81110dc1c3826a2128d76e8e5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dba71c29b404ef490550246491e31be0

SHA1
582d6eaad1e8282bc7addb87813a0beaa51494b4

SHA256
a15d698cd4fcf50ad416f1f264c32375e1baf250695071c463563582b9eead80

SHA512
e9b0c72d03e3b77cc3f12c43aa3ee45c7367977f3f0d61ee73aa47ea3774c59b1cc769112ae41e497d3df78187a24db82a3a676d0898701bdf4f237ae82d55ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51a6c9e639ec1e26365924b356cc2ccd

SHA1
1975e0aa7b27dc30aa77ba33b853b29ab9ac7d46

SHA256
11f87721c5944f0f89b8a3eb4b075c33bc5968b4998426b89c00b4b772b4f4d9

SHA512
9f598180b6dd69b6204ee094ef08dafef59a684b4209778a267277c9b184fc9fb3376909c777cbfc6c3588451a9af8b5cfff56de317f5ab837d8505d5820029a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac308931cd3c312df9b7761364926221

SHA1
226980295dae48318915ff12c40d826f911dae00

SHA256
8048f0f4f2c29db32c4cca203a14a6f20e2d57b14570d887d375b283fec1b797

SHA512
7ddbd4f3541425581799608a2aad2a7d06bed634d374f32dcc74e23796306d66fea681a690450cec59aab8fa4b0ac814489835b32dc7f0492b2edda55607aa3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4159dd2b44c375ed102447933adf31b

SHA1
12d6924d0dca46a9db0f832fba9b4725252fed9d

SHA256
26bd4d0c3220dec3dabf6e60c4482d05ef49acd1722e3bfc9101e473cdb10567

SHA512
b96d2d33bc7cc422b1cfd67489e26591d4737b76129cc3037101323bed83383400a4811bc044141892e78ab7dccb3ff46565bd9f3dbdadf1532fd41a6794ca13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
058f9eb26a3f91e715b7bbce333b2c25

SHA1
19e004a8eb7b693ea35f5d38faaade8b33f95e24

SHA256
e0bd51ec40018c4fea1b2b986e24fd963f0be741550666daacbaa5c433ee051f

SHA512
187668ece030afe5e99d4858519b5c942855b96cf28f33acd44d82fc046be015b103b9006be7250696e4f3adad6478ccb108552a1de31478006a61f63129d904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4644b1ad8733e2a287adf8db0c4e3b40

SHA1
54b5bb606c0d577bc4bbbfe0d68653734b22239d

SHA256
9e2e1c616a7cee4ead4a3719edcae7b38623e2dd935be5fb6b51723932caf4fd

SHA512
a92d221bb7eb571d334690343e68c8cf3220947c2562a751011492045d6ff7d699ddb486bc37b705846a78c413fa2e347b620a93af53dcc7c38b882cb4f74f10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
2d4366e784a9e1074d7d1194203f9452

SHA1
d49cdee500edb664cef5240ab89ba4d82d51b7b3

SHA256
7ea1e3efbeda174b08c17b2f3509dab6c6b2bb14d5f2c51dbd0002ee8e60ef65

SHA512
425903d04e0574d5f865b90a76cd8b3fde8205faebaaa6c0d6c3155e71c86999718c53e688bae77be63e0671bc24461f18c2bc7c80f62113efd9d51e2fe24267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
dd6085af47993de750fc1bba39e02d75

SHA1
c83d868735b3170ae109cacc1163ba647ab3e5b2

SHA256
847924eed8197b381f6dfe87f2f1ad3d6a4ea542e5afe291e3e5144419ba28b4

SHA512
9d50ba6331a1c5b1ae6b38bdee8e8bf871d63c3245b78b40d6287b9730e862bd731f99e1956ddf28db819592b35b005824b078535de2a0003523ebd8ab62c59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
074215c8c4a2ee64501a12dc3b211bf4

SHA1
b8d8262873cbda12b989a6f5dbe130be3dcb4cd9

SHA256
3d7096880387f3c4f41d6c7f4b5851012f85ffa028738c1f6d10854e0748e40a

SHA512
d30564cfe69303e4ec7dc61f7b207eb6b9c78bb3360590ab6c68d727141ae54e6c03619264f8c423bfa264be5545353684fcdaec3f5cb906c75bc08d824fcb88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf54e4be014ce6ad78b90134f2a0cc42

SHA1
0f0ff5770897e6d9475a4b7513a193074a0b0395

SHA256
f551a9ffb6ce1ef1843ce2f26a034f68580dd34987123f15fa428a1cb9eea107

SHA512
fa49e722834fc1c9ac8ad7b74097982b891cb3d6a9d12c7cf02e85949496e8eb6d5d18af72200ee78163c05cf7c57ed4d19921b00d888700cedecd35ff5135ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe3771cf7be41555b56ae3907f922867

SHA1
def1208feb37aa8e2268c3eb0097f580a4f8283c

SHA256
1156625b04fbb8453520a948273d8d3eded6ac4a88a88fc4b265571253f6ec8d

SHA512
0897086298770aa3d48be7e216c0449817714f695b0f57c63540e05e92d833aad436c2d49fd3fca5121d8f886ea1ea107fd0c11bb2cb7db31eb39ab168fb5565

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4swrm2am.4ri.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/428-259-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/428-260-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/428-261-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download
memory/428-262-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/428-263-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/428-257-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/428-274-0x00000000071D0000-0x000000000723C000-memory.dmp

Filesize
432KB

Download
memory/428-273-0x0000000007250000-0x00000000072C6000-memory.dmp

Filesize
472KB

Download
memory/428-275-0x00000000072D0000-0x00000000072EE000-memory.dmp

Filesize
120KB

Download
memory/428-276-0x0000000007380000-0x000000000738A000-memory.dmp

Filesize
40KB

Download
memory/4212-65-0x000001C41E310000-0x000001C41E336000-memory.dmp

Filesize
152KB

Download
memory/4212-76-0x000001C41E3A0000-0x000001C41E3B2000-memory.dmp

Filesize
72KB

Download
memory/4212-66-0x000001C41E380000-0x000001C41E394000-memory.dmp

Filesize
80KB

Download
memory/4212-77-0x000001C41E360000-0x000001C41E36A000-memory.dmp

Filesize
40KB

Download
memory/4212-59-0x000001C4061B0000-0x000001C4061D2000-memory.dmp

Filesize
136KB

Download
memory/4952-253-0x000001BF7FFD0000-0x000001BF80046000-memory.dmp

Filesize
472KB

Download
memory/4952-256-0x000001BF1A3A0000-0x000001BF1A3DA000-memory.dmp

Filesize
232KB

Download