asyncrat | hxxps://www[.]dropbox[.]com/scl/fi/63k54vjrrwy8dydxq5vm7/ForumeStatementFile_ztJGhivmtwsSuk[.]zip?rlkey=5ho245f9us9j35q4xa1tceiyi&st=eqy325i1&dl=1

Analysis

max time kernel
1139s
max time network
1140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/63k54vjrrwy8dydxq5vm7/ForumeStatementFile_ztJGhivmtwsSuk.zip?rlkey=5ho245f9us9j35q4xa1tceiyi&st=eqy325i1&dl=1

Score

10^/10

asyncrat ramiserverngnet credential_access discovery execution rat stealer

Malware Config

Extracted

Family

asyncrat

Version

Xchallenger | 3Losh

Botnet

RAMIserverNGNET

anothonesevenfivesecsned.ddns.net:6666

Mutex

AsyncMutex_k2D8ja65kBaVT1RR

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
58	3780	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe
2524	powershell.exe
4424	powershell.exe
3416	powershell.exe
4680	powershell.exe
1628	powershell.exe
2844	powershell.exe
2308	powershell.exe
3196	powershell.exe
1196	powershell.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 4312	4680	powershell.exe	143
PID 2524 set thread context of 3296	2524	powershell.exe	151
PID 1628 set thread context of 3312	1628	powershell.exe	159
PID 2844 set thread context of 1068	2844	powershell.exe	169
PID 4424 set thread context of 4984	4424	powershell.exe	177
PID 2308 set thread context of 4864	2308	powershell.exe	185
PID 3416 set thread context of 4908	3416	powershell.exe	196
PID 3196 set thread context of 4876	3196	powershell.exe	204

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngentask.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133686444606093529"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
4312	ngentask.exe
2524	powershell.exe
2524	powershell.exe
1628	powershell.exe
1628	powershell.exe
2844	powershell.exe
2844	powershell.exe
4424	powershell.exe
4424	powershell.exe
2308	powershell.exe
2308	powershell.exe
3416	powershell.exe
3416	powershell.exe
3196	powershell.exe
3196	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4312	ngentask.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeCreatePagefilePrivilege	2512	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4312	ngentask.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 4124	2512	chrome.exe	84
PID 2512 wrote to memory of 4124	2512	chrome.exe	84
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 1556	2512	chrome.exe	85
PID 2512 wrote to memory of 4120	2512	chrome.exe	86
PID 2512 wrote to memory of 4120	2512	chrome.exe	86
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87
PID 2512 wrote to memory of 4792	2512	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/scl/fi/63k54vjrrwy8dydxq5vm7/ForumeStatementFile_ztJGhivmtwsSuk.zip?rlkey=5ho245f9us9j35q4xa1tceiyi&st=eqy325i1&dl=1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff3b9acc40,0x7fff3b9acc4c,0x7fff3b9acc58
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,3314873740982169554,10164004639877609260,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,3314873740982169554,10164004639877609260,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,3314873740982169554,10164004639877609260,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,3314873740982169554,10164004639877609260,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,3314873740982169554,10164004639877609260,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,3314873740982169554,10164004639877609260,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,3314873740982169554,10164004639877609260,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5384,i,3314873740982169554,10164004639877609260,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1800

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ForumeStatementFile_ztJGhivmtwsSuk\ForumeStatementFile_ztJGhivmtwsSuk.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:3780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$eksdmocc = Get-Content 'C:\ProgramData\TestoBronic\eLLLLLLLLLLLLLLLLLLEoJR.xml'; $metrooooooooooooooooo = $eksdmocc.command.a.execute; Invoke-Expression $metrooooooooooooooooo"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\TestoBronic\AMDaKLloQIIfldh.vbs"
    3⤵
    - Checks computer location settings
    PID:1328
  - - C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" session
      4⤵
      PID:3580
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\taxtrleandiablo.bat" "
      4⤵
      PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\pointaudioremoteend.ps1'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:4708
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:1604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:3420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      PID:2568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      PID:1148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      PID:2016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4312

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:3972
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:2116
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:2612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3296

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:3628
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:4988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3312

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:2612
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:4820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1068

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:2240
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:2464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4424
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:2964
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:4200
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4864

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:4824
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:3984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4908

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\TestoBronic\inst_tronic_dll.vbs"
1⤵
- Checks computer location settings
PID:1848
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:3764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TestoBronic\BlututhTathring.bat" "
  2⤵
  PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TestoBronic\AMDaKLloQIIfldh.vbs

Filesize
1KB

MD5
09fe83d38a369938c9d0d580212b5e4a

SHA1
27c00aa8fc89d22e235fba8af8ab98b8ec2794ca

SHA256
124a1a0f5af4a6c7abaf01f15cfd3bd0ad1f44264ba77f8f9b7a38017257fb57

SHA512
4a0f6a69ba3960ff7f4e3d00ed6b62303ee680a8a68dfcaa1b33300bd0f703153b584b1724188f02762e0ced404b5cefb7d6264da2cf27b93af99d0a29c7e0be

Download Submit
C:\ProgramData\TestoBronic\AnSdNslImE.txt

Filesize
8B

MD5
a8a83092504aa294279bdbdb91c2280b

SHA1
44fe829e889e425d3e6331e59ed125db05f60114

SHA256
e37276070a49392777dd5f41102b47528a0e6fbf122b898d8eda2f0eff5c488c

SHA512
187c89189980e96f05649a0d2897fa06bca0997c4961ce80c1522ea324ff1798ade34cd032abdd5806bcf9e082f6dd729ba8cb60371e82595083b0547bb1c5db

Download Submit
C:\ProgramData\TestoBronic\BlututhTathring.bat

Filesize
1KB

MD5
1097486dcfade1658f073bfcea3eeedc

SHA1
a25078a6ca45446c6037b483808e5a10c6b3a5c5

SHA256
faf33221b3c83d7cbbd490e29abd565e3b6d4e1f7dfcba496a3ff6e24f247696

SHA512
5dbebb420b998f5ba4782fbd757e34b9fd0b64a031eb316c7321c7eeabe4156b18bffe0ea2f50c631a846f7861d1da226b75907384e93814946f1fe78e19a076

Download Submit
C:\ProgramData\TestoBronic\DOkQjHJrhL.txt

Filesize
109B

MD5
66d8433a26fcb81efd5d81bfc25aebb3

SHA1
c7eef08d6d6b48ce5afc82df961833023ad6c520

SHA256
7ebb3c89be1d4604928e331787077c5bbdf0d3f74a76f35e29d987849df57774

SHA512
cc0bcfa6e32c98eb758d7a8707bc39300e153f64dc07c6a7c6685319c777da9361496e75636541d0dc649a661578aef73f823ff79acaa93863da2fcf87c71dea

Download Submit
C:\ProgramData\TestoBronic\HFdylsubIE.txt

Filesize
6B

MD5
d50aa5a0aa6fb79dc44f50361b6ee966

SHA1
d604b84d1ab9daa283a5c1515a4ce9b61030c4e3

SHA256
0fe9e9f192e9241f9dae392b5ffd38489f4b8d1a6f3f351ccfb167a59e4027c7

SHA512
d308aa18c5a5e4e13f273674e407ab9be8c5a84e165809cf4af8255349ee2bfd3a0e5bb3a0e850dd285e654c9dfc9e6940f210ce341aebd9d2c9443055ab698a

Download Submit
C:\ProgramData\TestoBronic\PHSUiabXYD.txt

Filesize
9B

MD5
c1877b9f865e274a965e39183b43033e

SHA1
60e4f44ccb38950a5442cd31e70195ea781a81a4

SHA256
f1e6cecec8b3f209b1b1d27605443614a18985c2fc00be9d0a1b6910eb4a71d4

SHA512
1085f3e2ef62183048effa93d9093075e3a67b2b1236024b7afad7055f5c81462ac5810441e890fdc8c313d0937f00fc213402a32c637ee5362bc8a8900b9da3

Download Submit
C:\ProgramData\TestoBronic\THmCoreIEMLLKK.ps1

Filesize
1KB

MD5
3e335a9e65a609766a4dc676c565dc1e

SHA1
e223b3c78453bb087167ce7819a1e1ee2b470e58

SHA256
fc473b61cff251b54fe689fc786c907e8ce5b8a2e7b315501f1212fcad56da11

SHA512
b9eaa7a438c9061d70896a5e56d53d0a798ba5813652911db9b3a5bb19c596c5c7f4f675be548b401cb81550953bee4f767b0f503dee265f97914c2f9037b22a

Download Submit
C:\ProgramData\TestoBronic\VjOxUxUTJX.txt

Filesize
11B

MD5
7eb2561c37ed8d10de3ab8fe0b46b581

SHA1
0a90e7861b4e0bb8b9f3166a04bca3dd2d1038c4

SHA256
c0565bdf0b7522c48fa7fb2f8f0cadef11191228fe26f11921c9baebca6842aa

SHA512
304ed7a759c7c4f3746e78684a8f0681032794c1d49440f0a16f012f8f8fb6b92dcc51e421d53241a33b909cf03139d210aa8377432e5d4ef4445e77216b402b

Download Submit
C:\ProgramData\TestoBronic\YUidWkHyEUbuNmXmElxk.txt

Filesize
192KB

MD5
a5ec386ad116c48f9f650027ea995d58

SHA1
826968d2ced30405e8a253931da350acb8e7c284

SHA256
8cda078872625bfa8fa165d6193762a47f196b6ff263e67471382b22a2e2a273

SHA512
b08202550a377c3c012435318d211ba128b6d529cba9a6e39a23ba03cdcda080b0f8df5ca5cf6b8bffc276e7f02585a411f3e51325581428fe021861acf7829b

Download Submit
C:\ProgramData\TestoBronic\eLLLLLLLLLLLLLLLLLLEoJR.xml

Filesize
491B

MD5
65c02e6289b6a5e7395bfe28870e2a5c

SHA1
3c818c46224bce01b9ca0cee444166e1630bb542

SHA256
1e4d2b20c4693352fe3c07287a7b0b23283dbc461fb2b4ff1b2f312c35cd83e0

SHA512
0848934fbef4e1eda4676426bd1093a0793c9f784180e9abd6220673571fdfd811dc5883fbe30978aa0593aa582a8a203e6150e10fc3ce32f9009919aee77f2c

Download Submit
C:\ProgramData\TestoBronic\eUZRNqZIFx.txt

Filesize
11B

MD5
d7d88fadc06a17853929346eccdc02fe

SHA1
823c64b6228f44d83ea5be619acef0794d62be68

SHA256
2c7a8db7972321f75201aec580d66bd55656427f8cb8af28cef152c1c25426a7

SHA512
4b68e0d9a175e6cdfd301b090f406a27e404800969431fa2996605a0f45d1b6c310e4daf58da7727bf3132a5bb2c072073e9508492dc46a9d94ac19bd0e1763a

Download Submit
C:\ProgramData\TestoBronic\fZtORcHsbE.txt

Filesize
48B

MD5
6a78d6d1e7c732b3ea101e1a51a1f41c

SHA1
50bffbda1bafc5c7878e90ff6cb7d284134aca31

SHA256
54fcf113baec3b38b006f15bb5775782076bd37817164b46973ea954b4901b5f

SHA512
099542cc4d3ee46a2317f57ffa000dfa4aea5da8babb8d9e3c88a055422720b56a2896dc8dc91734ece3c91021f63f1b2a81250642513341169873c58ef0f0e7

Download Submit
C:\ProgramData\TestoBronic\inst_tronic_dll.vbs

Filesize
1KB

MD5
0ba4c2427b752c7315a05428a6eec521

SHA1
3ce6a1bcfbdac6f334800f9b8628b76235015d24

SHA256
7c2ab36c4db4cb30fe012065dbf33ffbe93657f199c01b2c673dc11665bebcfc

SHA512
9049a8ea8f83659b1b34d3e9a0f15f7bc6ad034702e0d98a59205a5101e73c701eb5bac0386bbc313a23edcb7834201f686e1b293358eb8bff4f9e6623ccaac9

Download Submit
C:\ProgramData\TestoBronic\jSrlfsdoMx.txt

Filesize
35B

MD5
ee5fdd013bfb29adebddd3e5165a2014

SHA1
eb9ac04232bf40d1f9a1e91a0cd89bc83e87f979

SHA256
f99af33f73309301d2779d10106e274b99ac9bb98403c2969c6f25134162baf1

SHA512
e041ea8513b2636aeaceecafa2d0e7e6c83e41651a79bb4f49005841ef2494fca402df2486d47329e1e53013adda7fa2c3a57090df7db763b43b9dfa2ec149a1

Download Submit
C:\ProgramData\TestoBronic\jbMxIHqutB.txt

Filesize
9B

MD5
c34a6bf09e7f7444048f907d78503140

SHA1
2bbe95da04878a156d2bdeda387b4082f288461c

SHA256
08fb9026b4c0dd64cf4e848e8dda726d8cd4aa8dac8c9e6216aa271c1b8eb342

SHA512
936be892183313d2672caf1b1cc6dda27200adc83744c0203c767ed7f7c3758824738322d448f1b8f56cba37168a1424532b74b1a6c650b0c7bce6524c9e207c

Download Submit
C:\ProgramData\TestoBronic\pointaudioremoteend.ps1

Filesize
746B

MD5
6a366453714e4ccd8e69115ef2a31da3

SHA1
81db8831fc76e0596d2fd80b7df4870a516962c8

SHA256
f75c78b95e630bd11e37c52f67faa2d3283dffcaa6c831b29b16003d04e635be

SHA512
231e17f38eddd08dd34d032a91d84f79cc7a1b09950240fc6843592a6347c48ec0bda8544a1c4c38d544c5054a13a404340c08a3cd0e49ce40a1ef900024200f

Download Submit
C:\ProgramData\TestoBronic\taxtrleandiablo.bat

Filesize
1KB

MD5
c58fbd68b2415b94f7a60d46ecf347e3

SHA1
a6d6320536df7121157db1401dfccb25f5ae3296

SHA256
65f928e25053ecdad6445db572acc7a0977b033f40f6ad8da5a0645c12be7ab3

SHA512
81d6e00ff648061aa6d23e1f9e50605295b469de9e1c981546920b46d397280cc6e9a3c98d8fcb5358c0d2e467fcd5b989152bfcda10813cd15ee16a2d3f0100

Download Submit
C:\ProgramData\TestoBronic\wIyRrpjguS.txt

Filesize
508KB

MD5
45ea14e8e0aa31913c128e972c0823c6

SHA1
50befd38b9ab1c3a050321bc2421cb5347d0e884

SHA256
dfceb259aaed213dab66650172013d6dd3c27e2446a4d8680fc68a605fbf143a

SHA512
f1263275ff97803b175f9bcf361ea2704d82f73fa87a69e8fba9f37afe4e6531cf7d884d6d26ecfcdd3e4cac663fd9d37b5350016eb07214fd624847b0ffb238

Download Submit
C:\ProgramData\TestoBronic\zPlnEWoizAnMbcevBsqO.txt

Filesize
464B

MD5
2ae925264eb587bd76d3fd153daed9be

SHA1
5a6784edfd728f1bf7c17d01d833082cadc46c9c

SHA256
7849f2a852f68663b3ed7960a3f3052a4f43ed4780b234ea45f0a550a60678f6

SHA512
e782c7683687e657b67046847b46b91f8047f8fda3da7b23143a616ca8d814d044b47a6f29c400ee27f4fcc2a7a53b620d953efa1b017cc5e1695529de299db4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\62866d94-d81d-4126-aead-25cc152821d3.tmp

Filesize
9KB

MD5
9cd4991fe721ca01d72867c5b4687136

SHA1
203946e677a250b9c2c18d1412c9752ce44331b2

SHA256
6bf0b2ee9764449fa285055aa6903cf1dabe84adaec1a83d04dba005c2eb7e70

SHA512
bf64ee4a0822ff55b8b9279a9af1bbfb6672a110de3a43abafed92b5b1f1432de0615dc956cc427b5ef6bf85245029f9d8f15647f092ba3c6c1a81457f7a6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5ef01b37df64b7ef30816cfa0b958fdc

SHA1
9fb6c4e2d4baa7bfa8dee9a68fddf4f1c0870490

SHA256
925608deb65d88bfd3c8b36728629d0f84e850a58c42d4c5a273d32b75360a5b

SHA512
66d5e32bd2870f17ed28ea51c5ab6f586af0474a86714eacc4e022d9f2eb4e5f47e5619ce85069d7425ebe693eb46509f9eae34b6c3631e8ff27c7a6c9d896f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
121184aebc328a949dc8db474cbda9cc

SHA1
5854da5b0dfaa06c279eb192852039d6360bd0fa

SHA256
b3366ecc0336f47f54b5308c6d3f048e14f2ef0c4d03b2a4498194de6ec8d106

SHA512
8389f7ed75fa8424354000596aef49724537d0a0d9fa2153af4d2216010b2235628ac313e361bce184b660ed50fd6ff79efa1358f3e5eb4387b909a6638052ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
acbc002e6e165c29f59d2841a314188c

SHA1
dee806c18ebc5a90d02e676714de684f642e0d95

SHA256
0466decc4827169a06a6c927b7c152c57746643d0d44db6382b70835fc1f3a1c

SHA512
cb4ea2b170ed6766c347eec35a7f07fa44ead191c8cd94b5b197ee268bc917b765ce966576b1c935877d62c1b5eca8606d405d1790c906f6a7694022bdddc24f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
74f31434ba8e5df317ffb6c73747071b

SHA1
f87eea7786b9a94fb0a491fa46ccda4d368cc679

SHA256
440fe79938341bf40a5a93b9c7d901844f01d9a62a4084a1e087b7a2ddaa6396

SHA512
7efeb3cacd5262c4992f6b0151e11c0aa4521ad1578ad8032dcfdf11dd43dc9e5c6b71e81a7a4aa450eee3381f3a91f2916850dc5ef284a3481922d85d3c1437

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5576f22c3de76bb4c436f59c9aea24ad

SHA1
01e2b8d6d62f152b798568c4d42d59dde1679bc4

SHA256
6d9cfbe8237ab66fdc1843f8fad97b359407a2492ddaeca347a6273f8cdc735c

SHA512
adb3a8dfcbc3651623b955b2ef48a250dfaec6b73fcd3368f1972a1e0c0966daf2425edbc9c0ba7a7f92287ab54d0136e738f1accf040bcbe768aa84f5271969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
968a00aab70450b1b061fd792c00ac45

SHA1
80244ee83f5ba88fd904f2284b112225ca4461ec

SHA256
dcabb37581fad9fc3d639c9a51f8b73e64c426afe10b44f659ccf7ae66ac2a8b

SHA512
680f5ad7e51bf5f7c2e74b10273a343d9eb5dd0580929756cde09a8dd67071a648b924b21174816f8816af033af5c034543847a2c1683dcc940bcc04257a631e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6bbc8d260855acd1b968e5b7e40e8986

SHA1
9746a6050f08daf5d52bb380d3682a7ddd4e2a39

SHA256
5f5a68e5b5d95c537d0fae065f56b75d18c36ad2311cc3a2d21a626fcd5951ce

SHA512
b5e0768f9aacadb6d6f2db032c25f3f447030ae48a8234dc2adf0ca66a61db2532f61927c205e8f817059a5b7297463e10af0fe3d176507fbf9672b6a25cb918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92ae15bf212cd5b197b2a7dc178b5a5c

SHA1
459512f549313680c301d577b34e35c97f88443b

SHA256
0899b1a86f64fa695212cd70a24098d757f33821357185dc21a702a3ad5b3a6a

SHA512
c8ef709e6ef7d964fb5138ea441afed8e452507d1789cf2e58df062492c6e8396cc42bc56427ac38adad50cadf1c2bf40b5a7ed3289ee92207f69fcf20cb08bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
78f5d7bb6071996f5eefeec887d3db56

SHA1
ff804e36fed91c3a970f123860541f91a0f0545e

SHA256
f9cbe35d81f5129592d7bfc96314958658b1fbc18fcec6519f230df267c0638b

SHA512
9287e06740cae4c1939e3203d50e5155ab97023ca6dc354166b4b0b8dcd77541db115e39e109a1c59179656a15d5632876107c7057ce18a347d834d2d86ac226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dead04f2444cd22941f56e2d0ecd5f7e

SHA1
0e46acf7e72aa3b9340e79e722f4cfb4a9776df9

SHA256
6c09e7039e7700e19bdab894f1f611366763d18ac2e57e5052706836829c4d1b

SHA512
533db95343caff57ed4b7450006b5e822b799101463b401e6f76f37b5ffec24bf50d38d6c5be6963da455b82d2dea3c74b8001186629e940d4f12231e5faf368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a0a33a6374fa6133a8fac09096348fa

SHA1
00342ff0520cce78ac66a718383ed6f557a3f8ac

SHA256
65f4139048becacbb8025836dc53915de9a82cc2c17dcea42eccd43e83b7e303

SHA512
35b1caf1d286f9f37369a748d7d85e7305f576fdd2b8c5e1d89320f40911fe6f538fb9afcc0c554ef9f82a88529a5755fd688908f8852cf81a8efbb3cc976261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
664b86c3666853c4fb91366f06238bc4

SHA1
de63e9eb4c0767b8e9a7a7bf19cf9f199880f9b4

SHA256
758e44ea6e2c0f4d3c28557a1447650befe1df23874db53689e851077c224b52

SHA512
d0adb5da151c290c0380e31cd878b7ef8dc8de063b226bd9cf015525d856dff27c1e4d90761413d4e4e5fb4a8415403c3ea32fecb27beeb32becf1e7c30a93b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42145be8002df5e122f94becb1bd0b09

SHA1
00895a39eebc01e274169be7dc8ee273813fa9b2

SHA256
3bbd7cdaf212d1a60d2302d09ba21aba562e80166386529f15aadb449fa9a398

SHA512
60cae3030d74182f1a9ba91d42239125607b4e832f4fbae3f891791ba15886f6c21a099cdc8e869c13301bdb6330db3e20d3f22ac3c4bee83732537edf3e003d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6fa73aebaacfe08935b8d1e28af05c1

SHA1
e9e38ceeaa31e44a1a47218f258b14005e1748ac

SHA256
4b6532d13cfefee2475840326debc5865a03daca3eda5d3236a9e095cc3aeae4

SHA512
778caa36ad5e30c2dd71578c77a31378c69c7b739b57a7c1881651d55eb1894356578476485352ecca6cd1c2a79714c3fcf734f79f01ca53236da3d15d1e279f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e08c1ccf6ca64a4e9e0fe77b8c4d4f1f

SHA1
6ca8f0db44b818848dbe891b04a3bf4998749646

SHA256
df3f692e5183492a9a7d13a7570f1a91b33ea4a55825f97d43b969ef1bb4682e

SHA512
f533e5262c15b0c0d2115cd014f13a4c923a1a7990986e5314b1a5fa75fba5045e680a47b35fc095b9ab2b7eb47a73f6c36dd38ca633ca1ff0a056037b29ffda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7eeffd5177f9dc2b2e10d4976b121b7

SHA1
8ac2713c17004b7103832c0ff8e7c5edaab57156

SHA256
a94afe3098c795398d9670d718cf670e1288769fd9ca7f3ca78da3e48391d802

SHA512
a0d49e0d13c4db936ca190288d614dca260ba58f4c69c49b5e08777acce4c39611cc42c270f04fea0212209c0e5df753a50cba4c72e41287ce2a765ccba7566c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
33b78e027669917276f6df18fdc05aee

SHA1
f32f4ef26da5c652c33c875d9a08387ea67c626b

SHA256
47cadd9c05ec84012f99ae7773a42d9edf103992a2314a0c65b3f3d5179be200

SHA512
c57255b005a2a83969248c4a521033d0212a55891ba2e3894d161b2784d7d0af6b6075e4a090f0278e59ff9ff1cc0b61a6b4e3085e8957502f67fb76a0ab4a58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31a60ea912bd3119bcaf40fd960d584b

SHA1
a4be7de51280e2a5a44d86423c14c3753484ad9c

SHA256
cc97cc88d91166d101fac5b48cdf64c06d1f360fb1dd831f74ae29ae2767fd76

SHA512
a7d5c7d01ac6729d6ff2bdb206e7903270da1eb18acc154ca53ea09e30f16c5a41a8540b0522c7048b4e827bba8684d373e4513e53b33844d7add107d3b2bbe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d38a0c733e5d6fd69538a5f35914285

SHA1
6c60afe076eb528ada9137c71a45f251be966b0b

SHA256
a3dc9c2ec35ac94c60fb248bed8aa7973ed154c26993eff47d9206719809aab0

SHA512
f40a8d3c5c0d45df22b87bcd1a810d618da95f167a29a43fa07b8026a71e2a5cf2ae15fdc826785e1f1b5298ef3ac140928b3edcdf998dd40d90dd1805ddc965

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01b1c42d564648fb60e44637b7926f2c

SHA1
057cc81419e0fe2c088f2d2f3fb4c3ea8e83702a

SHA256
eb2405c4ca927d9d5730fb91af7a88de9ec9dfbc66192abc979adbafd10bd583

SHA512
4760c820bdf44041b30fbfc67a56dff9eac9115f2ac6c4b5931835f70724fa8bb2d68411ddad425cea7a254345e608ea7babeb1b4d2200f8fcb63fcea8d48934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9f5591add0393a1f4f0e30a538d0845f

SHA1
674699f6f95abddfcc3065bbec65b3d6e86e7e11

SHA256
623b8ceab14daa72dd8122be1c2396f4dd2a4f4d18cd0ad1f74795b877358920

SHA512
bce2640b119de682df9b65e2ecc1290aead210d62b35d21d79d6a65452a4e4533ae08df06df667c9d9f5c73895c7fb9c837ee7ab2dc0a4d889db604722af3656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ebdf8f1b8805ac5b128043588f1df3db

SHA1
47462b951fe6b1687cb5168b4c9cd331eb5b1305

SHA256
a2e536ccdc73807562022ec2cbab736d440af6d680834981d40fbef124cdaa1e

SHA512
010341ea159b7ae9fa243e1b0e9a5b27f58e0eedfba3dcc77901dc56fa3cca2b654097ebb0c49492c02c0b4107e7bc665aa2436f968182ca77dc2d33f60b60bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d310f8e35d6477ed5c9bfa3b42f36f3a

SHA1
d62d8c73f88198da60b014636381bd64e9ba54a5

SHA256
e72912de7942cb9e0f35b52ed80996e2471b60052579181cd6d6e3602666510d

SHA512
351f664fa2c4d0a5083a515426cbcca0813b59ad58b143c7858e0b29eba484355b69b13625fa617f3ad4032cd95e81fda9a45ee83ae084219ca7da1ae28d4c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fdc8899c48a7735cb43b1b4b2442d394

SHA1
b38d8a322dd042c660fddce088ad6ae7d5afe356

SHA256
fdfcc138bca537318766e8bf8aa2f9ed2340f68c3cf510fca0ae717112e2457f

SHA512
7576aafcadaf21b682af20fa9dd308804f1196473d816415c44a7360f02cb1db52e4cf9b319f17bbd403ed512bb52df81f7a66e1b8106dc5f3702ef3f32d4329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbf6015c0db44ae6d42e533681afc070

SHA1
50f11479ab54b420fffafcba171d9aecc1d4bcee

SHA256
7b07c32da28588ca437240bd8f1c249dc58fa3bc002867f2057aeb48e01220c9

SHA512
368b63ed09db157b5a7e5ff68e29177398e22716dcd9552607b039222fc05a84649cd2b1dc6a6fdb0885db5ad5baaa3f6446f290799edd1b6444033b309330a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cd3e314dd8b60d0a48d0aa108362ebd

SHA1
a1475d32e1581dd327f76b58a980984775ade702

SHA256
a1b7bd987a680561b36c5dc36d62729e0f46abb1c847854967a3e41c0854f204

SHA512
27f8fc7bbfc302e17ec2177bc215c965eb8d5beee58368fee099cd168561d51f532c549b196495d27955542c0c107c68e4d0d46cf294abe5b0bcc130c97fd338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eae5543775ff2f70aa051937da29aeb0

SHA1
3516daf4c49bfed73188ec08fd2b21544f2d208b

SHA256
9224d430acfbf99ca60c05e80fed421dfa680952bb213f9d6bd71e51bffa7590

SHA512
4b645e05797bd892f9f6fe19fadef96104a515951a3f90b33b73e67b152ea902624d98ca8ef147b5166a8b3c924158e22982b3f5c4a7db94ad4e90234c1d562f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c9bf7bd3e4ef0d05b56b38b061fa901

SHA1
9eda8950a859ac19b27db9b6b30b8cb75f0a9364

SHA256
158514716352373f93003b4ec1cce228764de94dacde759dc0445d8ccade5a4a

SHA512
3ebf25d3ca4588bbfe3afe5ec423994e2f7534462e6ebc74341473eb1df1b91ee1af58d39a54b944f64a24c83864de6e754cadb99a4e36e7aed70535d349e957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8388895696a5f05b290f511c55ddc412

SHA1
583f9b630f7a667bb55f577bbd48ff1cd0a01b5f

SHA256
b226e64ff5bc56fe25904da39ce3afd2c56e000efcb7afa60acf5cb9305b51ce

SHA512
ac2bdf4762b0af59c0557d2a459a867cecc2383b6cc097deddac124dc883edd45a8eb42c2f36c4cdee1f2940465f0244fa6e5f4d6fbe1d2858a18d4315a18cd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
caa532b6edb44bffa1359583d6bb9f30

SHA1
1a192fffa9106c025f5969dc830ba3173a211c58

SHA256
6e048ebf4f4968e7165120552a08e2f54443e7ebd62b8a28f7a1b4a3fe42b889

SHA512
d1486328abfb2431b4c010b5d27c0e3f68dcbbe578924e63f17e2ff35e38726ffcf0415c5a1989d3dfb64539a90af7dc4c6fd176191d18a0b1d331a5b654c063

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e985724790f645dd86a960f7bd21bca

SHA1
153da67eb06c63dcdb25e983990b72ba08623954

SHA256
71616cdedc4c80e1ded714b3a1733762136383c9b6551dda9b4f690e2cd9bd6c

SHA512
6bdf75748b10b059efc6febef4041303b3add19d59832b8911d3af5e457c66f6a8e3df369a8ed87e6b17bb7b705a816b14c61dd89828ddcc005a7da624b79c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
49fde00feec334d118874d02f5d68940

SHA1
e06b02d49233a0283b2dd4223158b04490bdaa7d

SHA256
e0b2bd47044caa309be76897d0d026f7d797899b0f39f438b73d03fe82971525

SHA512
90e3cffe086e7e6d8ec68a418bba768e866eadaf13bad9d43d2047b2e4aa3c956002e2125b29898321352f7be6a562ddcd25830345de571f2a8eed0ad8d175e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed97d380da46dc641c40e985d6e1b2df

SHA1
b3f59b8021b0271f67fccd394dd4a7c37f967a63

SHA256
e66fe6372a6dc2d34f87584b6641007199228d8543542bd4063e726d678e4065

SHA512
8aa4b02123ff3c6df2ea2ea4406b62afc117a9523595304ccfd5c7e3962e62d789e06cac9f63a56ac6aed33182b5759b8cdc37cbe4d7365f13e332453446691d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42a59a55a4c74de4c35bca7edee0b71e

SHA1
9a1bf0a16a283a3a6fdf45661429d51b88d80349

SHA256
017fc635e4fa79f6ac5ed80cea4376657259f6aa7a4d0bd43f6dcf78da5cc56d

SHA512
4d7f63c75bac01ad212804c120055ccab02094e98e4ff1cd89023f2debaf7abedb3ce092c8f70ce35e606a47d61fde4aed9b04b526ccd016877e3301572f6bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
315ed1a79f494876d4bc5e8144f0f08d

SHA1
2100215458206064d65d354b1d45892fe0af0a63

SHA256
ac680e3eeb071541171e2ac14df1390abbc6a4fe5f282323ba2c4c9162b1ad99

SHA512
6cea054a1174e130cd77bbc84e1a21fa959bc201bd147090e55f1dd0b37397e2fce06aaeee72e7096ca5069b05404e2ddb5902a702583aa84c7c17d9e8caa142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9090c5b58525fb4166e0623fb71e1292

SHA1
435150f5d2feeaada37ef1e30ae97003fad6838a

SHA256
29bfa95cdd1e30b4ec2c3682cacb912bde11c1e404a63bd14a6c9ac9688750e8

SHA512
8d01c13e44b645b737549489d3f601681e31b42acc77ecaa300cfb655739da76b3da8e2f19d46446fc36e3bec4d40e8aed0cefb747f26a8bbabca95139a0405a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57b71d572de224fbaf80ffde091d6707

SHA1
8728ebd0246ccc1f31cbb863486ca26508ba1f53

SHA256
0b75cfa715b4b3ecb1399b783f5e6551975cb7af23179be4ab1221b20d32ce7b

SHA512
b6f645035d4417e8d7850eae6f88dced456468f0fc90133028aab7d0138def7263ac40e35c0a1efce0bdd570eddd36931b9e05119d400c5460fba3460f270837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d6933b7b9e27080cbc83071578daa6b

SHA1
88c976829b2397c7cca949c32852883a547156d9

SHA256
00de94e3e30f647d3c62b8dfb8f42c6912482f84ed4c51543873fca4b780bd5c

SHA512
84c0b3512f75a3e4bb9b216e5f307eb8c96baa94ee35a26748204421ce70e6f830155b99a19809ccec1bee291ed6dbddd2ab21886119999e19b4c242cc079696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
04e0b013360163caba618f5352af1a3e

SHA1
4f85ecab023669e55923b3881017854962dbb52b

SHA256
d3fdf66e0bfddd2b1e27e2397730889a768f89b9ed314e4618ea25047955a425

SHA512
203f413c488a65b6abe66b22871d31e355025ea3268a553aaa4e7621c580c99baf48a9bee6d72246e26d32049d453235ea5dd0b2ef5434fd2af2f4710b2a24aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
06909e40c9e3a2d5b05c7ab3527b0361

SHA1
12943f1a894a3781340f70b26bfc148dd31e1fd3

SHA256
85fbe3802444944d4b19d137c40bb83168e5366efa648cb12e67b29949b36325

SHA512
b0b4fd744adfca7569880422633de4722cec66f172053bf544f9c94dcb21f3c31b1249b5b83ed0fef61ef2a5143c1da578134df0c015aa98ea222326acdde656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d207aa0dffd3d4163af044491a4afc0

SHA1
0237e3dc8fa5b0e5e6ed5c79620faeaeaea2b690

SHA256
5387251e0cde820cee188bf9bcf434374829010beada2b199b341edb9f29e4c2

SHA512
e240fbc030ece113776253f4dfffea87b5c1487639e6a314c818cc582957e48699e8ae1562d76d2fbb84295b1b32b2fe0ba9a18f6cfe0e0c744d2b066d7effd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a7b2304a8f6a8b70b61eca2b4a5e08d8

SHA1
8659b75bf109f556a1d4df8fa62046d06114e8c8

SHA256
aa73801efb5133a31f17017616853a729952a0a3848bd9e31f3efbf5cd30bc52

SHA512
e5f6677f587036ab55b4b949390ae2650eaa140d57bf61b5b427d3238093de6ff3708750299d9457ac881df0807d6468b79b8d4e91323642f2dbc4c15d63ba0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44d020f6191a22e63a9fbebef21b117c

SHA1
7e9e9fcf6194801de91357bde678a4a3a8dfacae

SHA256
7dbae381d4176cf465947b7722ce04cbc9eea42a5fce4edc5c88e23ef0d53d49

SHA512
aaf0cf612e0086756cf7be2ac29e35e6a3593e46345597e29b6544fb618146e94e1586179fb25d757072acb379f669554eb51d214f3219808f375146fe116f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a58092fcb070ecce3097e1fc9270b896

SHA1
9c934bcebc7e1eb39d1edc49c78de0a8bbe9ddaa

SHA256
cf4b8245be0fb64f94b2863f2db7cf0681c1df4587d1d885c092d570c44715af

SHA512
f73ad7f4a789180d2ffc4bb9b94cac0c5815dadeed2ef227a94a6464cfc2f78c279e20ba7fd8dffef3cc19caafbdffa587620f1d2b5c9183ac24a6debe73f1c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad1737738b1b063edfe7624c336e7b02

SHA1
746a935add145fc276e74bd5e9c5f3630840b3b3

SHA256
afcfb27d12b47c02c91aee692ea46109234f011d9d3eb0ddab5bdb234424656f

SHA512
1ffb00abe508452430aebcf19b3a5970773a0c9fe225be27cfeb48d866138123e6064ce0ded01ba35c8db36a7ec507588940fa26907e75dd64025d2d6eb25622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2aa151c5eeed82f71089e9369835972

SHA1
3e6451a94d86c053f16e1753fae56696d5407f1d

SHA256
94e3ddd56d4cba84c6ccbe49d315983a90f7264dcd180d17b9cc63fe512aa51a

SHA512
4a834a220f1b2ab6472b9a01f5ef98d8634cc5eedc356aee007cd106d71b5ca7f1182fcf395189c2eeb6425f5e5465b8476499bae1a9c0ddb061da52130c5ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c18c1e1b31ea8e7ab83bb2198a16b33

SHA1
dbca7040d35971797ad74c62ec349c3a542fc2e9

SHA256
f08550455dca1c26633c76a8b2baa6476f8c09d86cd54cdb7f831cc17b083980

SHA512
d37f4e303bf449c9c6f10cf02d474f004207db565a0e10980b80eb2dae2972c3d8d9d2a8988757bc9fab20ebeb07b957855d7abf21b81b7390bebdc5b268d2d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b4ec084bcce87a5d7bca2510623a74b1

SHA1
fd605074c221be1e91947f36b2bc495f042b494a

SHA256
6b4eb19e0387c8df11bbbe641f6c5ee7d4bc845a8b6d50df2ea444de5146d473

SHA512
66b964dac240aafc1d6d76f329b525346a68e42e50f1edad7fb4942e6ca6984738ec5ef097436afe6319ea0f0d5cbd383fe53f19d2922253cbb21ff16b803682

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
88385d26d528c8112dcc8e7678cf97e6

SHA1
648b1eec5d35939e9bbae11fef3b435d74194ec1

SHA256
d608cea3f7406030f33f322f004c56469e0a431ca55f0cf42425d60609c26a92

SHA512
a7f6270b5dae257b740be39fa510c81e34c7a9587173a8cc49731a057ff1792e521f10732bab22dd5e442a1cad1dd39c52e1f22def658e6097916ef880234d4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5472d95ce8da2fd8773f75a1de07fafc

SHA1
2d43050712ddf0e9b357588a953d100efe8d6dba

SHA256
9843afdddeb873ba0ed84d88fc1ccfd7e76f74fea242856cb2fd9a6166d69b1b

SHA512
5d9444804944c4eacfd263f0565397c883c79e2b86fbcfd60d9a4c6faf0523c98711720cbc9f96f5ccf89c44db9301ae8a277fcae2c9483ba6a28039201f3a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25f4fc73b68270218b315f33fa34ba0f

SHA1
b1460bc016414610bbbcb3d3ca4ade3b10928680

SHA256
a42968ce22c0bada0db09bb9be6c03533728059937e650013e91851eee1ecc6a

SHA512
1509f0025480c9ec9744fc6611426d3a050e64911a2fa0bfb291aef57451b9dc280982b1f6a84621aef854a4bfef7211e6a35e2cd166abc56efbb037d0d1da13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
962b5550425ce9d4e8a92763288ee85a

SHA1
abdf0edd4773bbe9b37bbcf2b152cba32ec7d1a4

SHA256
e6e180458821a9dd2cac02fb7d37d2f6dee9d75fdbe5f0cb975b3b504b199e2d

SHA512
ca54b7b78c9c70f0099a4d2c6274de2773ad089286bf15a5e4fd2a79953bb245712b862068b03eeb7304088accdab87cf3a1ae564fe9c6d835cd379f1facea95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b89a42d61f422c6e79a990145cb48df7

SHA1
bcaeb0f9cc2957f11bb251982a690c4d2f083eea

SHA256
1e3743ec4b17d6391942cdc59d0d894eb26509abb03c1446e8801d62a1ed907e

SHA512
74e034f7088bdc1d3b8ba6ee44110535de70775a51505b363df42958faaaf59895406424c1a0550641f28fc2e4a866b69ead1bf17740e747ec54820d918aed4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b3f5b1bf77559dba9552aec22f38e696

SHA1
b6ae9ba490e26a72f9389080d92df2a975a96888

SHA256
092cd1f55703ac6be6661153830dff0eac4f545be627c6d82784344ae2972fb3

SHA512
df0cc23a33eac40c0cd6c80a960e66b52f640497436ac03779d917f31458d5ecfd811668333a28e85ab9344342705b78eca45e78d7c91d0c4bb1b8bd4811c0a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c5b09d43f25771168cee5c122402f45e

SHA1
e3dbb1a37fe0847b5cd2d730537a0015d8da5800

SHA256
ced22836b11514e039332c5fd7492f1078b5bf98a12b1a5beda6cbc0ad5c5a01

SHA512
ae68f9cb89b7e0f18eacc0dd60da2505536412ada19a5cfcee8820248ed952a806e58bb191f97fe133a26f00d4cba98fa76fcc410287dbfa6de80f3cdc1cd0b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
19cd1a81811eb4e4df64a495a8006422

SHA1
8a515b4c70838c35fa4173b075cd6f4d8263d649

SHA256
e40a7bf94b766e5d58f098e3046da7df897c3e7800cc8d0ed3f00c85abd69662

SHA512
8e094ddb300194517d456275842cfe52875432c8618d4559538d6c48e4d673e69e9a33eeaf14760d2a4543eb5c674e77ce66f449e7f03fd22afd218894c1583a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
206228564500dac9b543085b9f579631

SHA1
aa8c175484a35e9f9b6a9cbd2389a3d5e7b54eaf

SHA256
037f7561bf8ac4af0531eb260bdcc44f7beee7cddc0afabb7c13eeaf5d60f90c

SHA512
0d2109bfe0cd90eb6abf2605e92db089da56d5490a820294c86e7074ce31f47bdd104ab1e29acca4b94af8bac73eb334ac812d6ba46e76279dce96b31c31cf2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5327644d430c439ed8c00846ce2cb8f4

SHA1
f83c0a05323b3d4dc8b85e3fbf5c7297a44d4925

SHA256
cb79bb6aea4db789f3826f2b31eb2c1d84dc7361f08b8eb786e66b7cc9ffab55

SHA512
6226a506da97d4ac9c8a60b795706e9d3d6417a245e8c907c0094ddf74786495577d34a3f5d2a539dee262aaa04d2577f9f9e3e6b96b1b761e2e36a9079deb74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
18b43cd693a39b021476a414272b4a05

SHA1
2c86691572c0b247ddb81633ef066d4ca5fac90b

SHA256
cf92e52b4da82ed06880979569e65177377b2282b9bdf3fdc70bad58a79c33e5

SHA512
04f01c510d641b18aaec36ee0a33c11abb715b70863772064541c306facff55555f3a3a805347bc53b2df1a90cab0bac07a57d0e448cb84bab20a9a3546b5e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
dd6085af47993de750fc1bba39e02d75

SHA1
c83d868735b3170ae109cacc1163ba647ab3e5b2

SHA256
847924eed8197b381f6dfe87f2f1ad3d6a4ea542e5afe291e3e5144419ba28b4

SHA512
9d50ba6331a1c5b1ae6b38bdee8e8bf871d63c3245b78b40d6287b9730e862bd731f99e1956ddf28db819592b35b005824b078535de2a0003523ebd8ab62c59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ngentask.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
943315b0659521cbad0b4e664b96e6e2

SHA1
006dbb6aab58d5374e064430179692bdc7bc60a7

SHA256
288bd57524a30d33c9f804e4c5cece9001cac93a795b0447f6c47613af580063

SHA512
ff8d0f35c0d6c1c59b6f709d5cfac0d7bc167d1bb385a618cf666360f819f9e20c64c4a994c97fcde88d101e76dfd1aba77c44c56f27eed0915d1927e9e21846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eadcc927335b38f9504fe9a702dce403

SHA1
25f9d9a73ddcec4b9c327bfacb632b7489ffd41f

SHA256
a30edf96227c7919626864bb107c2890384bb43f0d8785746562e633a0a9292b

SHA512
fd3daca95d5e78900ccc2ffe0548e9334c8bdbe92713b071159060fb2067fca30df2565c23e351d46b0bbea7b741230c1d525ac20ba4b43fa6bade295f38cd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe3771cf7be41555b56ae3907f922867

SHA1
def1208feb37aa8e2268c3eb0097f580a4f8283c

SHA256
1156625b04fbb8453520a948273d8d3eded6ac4a88a88fc4b265571253f6ec8d

SHA512
0897086298770aa3d48be7e216c0449817714f695b0f57c63540e05e92d833aad436c2d49fd3fca5121d8f886ea1ea107fd0c11bb2cb7db31eb39ab168fb5565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc74b14e42ba09af7d7966271fb6e7e1

SHA1
644a54e46c3e6f1272a2f742bdf6a4590f018730

SHA256
99b09d47e5eca3d96ca3afc131d46d92e1d22d4cd97095891411a60743056a54

SHA512
fac115940ef9a31239a32723e8b2a480b19a362beeaa262fb8bdf22618d9afb363e5ab1c6a9d7b399691c7f101d52b080285502c580c5f9f894c349c649d13a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6535cd170a58731a70191e1c3d428335

SHA1
8646a6e2d886b9e4f06642a810e1fb836c2385a9

SHA256
0ea225d13eea661d5f88e01ff1272dbc68592913298e41d3f06872b09489598f

SHA512
b9e73e3a54f0f7e0eaa31a8ec650ad39342f12d1da4eee98a0d23b59a13f79674b84f215fb707f6728e882131be1a3363ae227b71550fba97f85d98c8bba3c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9b62672a2e87116cbfb1b09828c66a5

SHA1
01561bc6c5de310dd6018fb55d59a29685d12840

SHA256
c4e7e22b172886eb3bf7cc99dbba1d632d0d8c291935eabbac3c25fb326f016b

SHA512
0f79c3471745e2493a19c93fe7d40f5fc7cf3fcbb9ec82cf196868e21dfffdbdb905d5523b6d0023dea721e977e210963f48a6f140259a18553b9e7d5a3c70c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17395695d989e8cddbc7d046e5c5358d

SHA1
adfa216c2c8613337e0032001cef46d0ca6a4656

SHA256
f3211046ac80f54b97c9c730ae555adf3d3d1b2622d82eae435b2fae346a788e

SHA512
cfbb8c4a394d884db5d32fe6e279e1f742cc78f8dd0387ec13ced600e21a65e8e9b7c8a278539627ea194739fdae6d786d9baabc04f94a6a12aafd8a0a127069

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ev4pr3xr.3tw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2232-101-0x000001F746940000-0x000001F746962000-memory.dmp

Filesize
136KB

Download
memory/2232-110-0x000001F746EA0000-0x000001F746EAA000-memory.dmp

Filesize
40KB

Download
memory/2232-109-0x000001F746EB0000-0x000001F746EC2000-memory.dmp

Filesize
72KB

Download
memory/2232-108-0x000001F746E30000-0x000001F746E44000-memory.dmp

Filesize
80KB

Download
memory/2232-107-0x000001F746E00000-0x000001F746E26000-memory.dmp

Filesize
152KB

Download
memory/4312-294-0x00000000071E0000-0x00000000071FE000-memory.dmp

Filesize
120KB

Download
memory/4312-293-0x00000000070A0000-0x000000000710C000-memory.dmp

Filesize
432KB

Download
memory/4312-292-0x0000000007120000-0x0000000007196000-memory.dmp

Filesize
472KB

Download
memory/4312-273-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/4312-272-0x00000000061A0000-0x000000000623C000-memory.dmp

Filesize
624KB

Download
memory/4312-271-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/4312-270-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/4312-295-0x00000000072B0000-0x00000000072BA000-memory.dmp

Filesize
40KB

Download
memory/4312-269-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/4312-267-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4680-257-0x00000226ED0B0000-0x00000226ED0EA000-memory.dmp

Filesize
232KB

Download
memory/4680-254-0x00000226ED0F0000-0x00000226ED166000-memory.dmp

Filesize
472KB

Download