asyncrat | 558909412427b05911a02cddfe00fc5e9d30bc38e1ba636d04aa7efb63438ec8

Analysis

max time kernel
1800s
max time network
1802s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
23-11-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Project Buu/Dependencies/Dependencies.exe
Size

63KB
MD5

97be07e4d8fa640d71aa049385d8bcc2
SHA1

cd21b0a98183abe177ce6b1a857f9b4166100b4d
SHA256

df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31
SHA512

23e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4
SSDEEP

768:b2yVjLFj7778BIC8A+XkaazcBRL5JTk1+T4KSBGHmDbD/ph0oX2f2/F5qVKGVxSD:jJ7TPdSJYUbdh9GMMKGOuodpqKmY7

Score

10^/10

asyncrat stealerium default collection discovery evasion persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

79.110.49.58:3232

Attributes

delay
1
install
true
install_file
Windows Security .exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Windows Security .exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Security .exe

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Windows Security .exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	Windows Security .exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Security .exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

Windows Security .exe

pid process

3048 Windows Security .exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Windows Security .exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" Windows Security .exe

pid	process
3048	Windows Security .exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Windows Security .exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Windows Security .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Windows Security .exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
5 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
3	ip-api.com
5	icanhazip.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.exe

pid process

4284 cmd.exe
2140 netsh.exe

pid	process
4284	cmd.exe
2140	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Security .exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Windows Security .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Windows Security .exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

228 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

128 schtasks.exe

pid	process
228	timeout.exe

pid	process
128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Dependencies.exeWindows Security .exe

pid	process
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
1056	Dependencies.exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe
3048	Windows Security .exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows Security .exe

pid process

3048 Windows Security .exe

pid	process
3048	Windows Security .exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Dependencies.exeWindows Security .exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1056	Dependencies.exe
Token: SeDebugPrivilege	3048	Windows Security .exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Dependencies.execmd.execmd.exeWindows Security .execmd.execmd.exe

description	pid	process	target process
PID 1056 wrote to memory of 5016	1056	Dependencies.exe	cmd.exe
PID 1056 wrote to memory of 5016	1056	Dependencies.exe	cmd.exe
PID 1056 wrote to memory of 2740	1056	Dependencies.exe	cmd.exe
PID 1056 wrote to memory of 2740	1056	Dependencies.exe	cmd.exe
PID 5016 wrote to memory of 128	5016	cmd.exe	schtasks.exe
PID 5016 wrote to memory of 128	5016	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 228	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 228	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 3048	2740	cmd.exe	Windows Security .exe
PID 2740 wrote to memory of 3048	2740	cmd.exe	Windows Security .exe
PID 3048 wrote to memory of 1628	3048	Windows Security .exe	powershell.exe
PID 3048 wrote to memory of 1628	3048	Windows Security .exe	powershell.exe
PID 3048 wrote to memory of 2860	3048	Windows Security .exe	powershell.exe
PID 3048 wrote to memory of 2860	3048	Windows Security .exe	powershell.exe
PID 3048 wrote to memory of 4284	3048	Windows Security .exe	cmd.exe
PID 3048 wrote to memory of 4284	3048	Windows Security .exe	cmd.exe
PID 4284 wrote to memory of 3068	4284	cmd.exe	chcp.com
PID 4284 wrote to memory of 3068	4284	cmd.exe	chcp.com
PID 4284 wrote to memory of 2140	4284	cmd.exe	netsh.exe
PID 4284 wrote to memory of 2140	4284	cmd.exe	netsh.exe
PID 4284 wrote to memory of 800	4284	cmd.exe	findstr.exe
PID 4284 wrote to memory of 800	4284	cmd.exe	findstr.exe
PID 3048 wrote to memory of 3332	3048	Windows Security .exe	cmd.exe
PID 3048 wrote to memory of 3332	3048	Windows Security .exe	cmd.exe
PID 3332 wrote to memory of 3552	3332	cmd.exe	chcp.com
PID 3332 wrote to memory of 3552	3332	cmd.exe	chcp.com
PID 3332 wrote to memory of 2056	3332	cmd.exe	netsh.exe
PID 3332 wrote to memory of 2056	3332	cmd.exe	netsh.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Windows Security .exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

Windows Security .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

outlook_win_path 1 IoCs

Processes:

Windows Security .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

C:\Users\Admin\AppData\Local\Temp\Project Buu\Dependencies\Dependencies.exe
"C:\Users\Admin\AppData\Local\Temp\Project Buu\Dependencies\Dependencies.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DB6.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:228
- - C:\Users\Admin\AppData\Roaming\Windows Security .exe
    "C:\Users\Admin\AppData\Roaming\Windows Security .exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Executes dropped EXE
    - Windows security modification
    - Accesses Microsoft Outlook profiles
    - Checks whether UAC is enabled
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    - outlook_office_path
    - outlook_win_path
    PID:3048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2860
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3068
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2140
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:800
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3552
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\49207407fe73184735e1835aa44c6036\Admin@ZLLQEAGY_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\49207407fe73184735e1835aa44c6036\Admin@ZLLQEAGY_en-US\System\Process.txt

Filesize
371B

MD5
016996019b165cd2e7e2b04349ce52ea

SHA1
48fc4a8c4d4eb942600d8fed443a07333ac46116

SHA256
5db820b21a6af9c252832ee6377cd23dcfa568157f4c0bdad3b0bf30f9e5b366

SHA512
f5b058e9e5bc609d80f7d23a465fd9a82a62c98d69b8fae6c0bd20b07ebc9a31397038438e52064ae7b8c6747e964febf1e671edc957f69cf02ad9697a3cc6eb

Download Submit
C:\Users\Admin\AppData\Local\49207407fe73184735e1835aa44c6036\Admin@ZLLQEAGY_en-US\System\Process.txt

Filesize
3KB

MD5
d97d729fcd21c08b766bade4c9a31a88

SHA1
d338f96981846337bdcebf871c775c24edea4612

SHA256
5cd15fffdb7549a6b7ea26a0dd4689c4a0c4fbfe520aa2bfa071910220ed0868

SHA512
1668db88c7e18768038114edd36c29df00d4b8627d3c26509d54e13bcda40dcf849589bf44530fb4d1f8802bb9829702841e11696853f3bf71df9e3f4e9079c7

Download Submit
C:\Users\Admin\AppData\Local\49207407fe73184735e1835aa44c6036\Admin@ZLLQEAGY_en-US\System\Process.txt

Filesize
4KB

MD5
55fee7e31d2b6b9a37c65d09d526f920

SHA1
fd56ad774134820450465ad8d1619701232e02b0

SHA256
54d0e2e9a1343bfd42828d62883bc0db07257b8970f0f10e3908148b688544a0

SHA512
30a37d04def1a1433cd6af12a333d871e450833afad8f3233c5a91edf4e71c16e0b345eccee956e6ba7de0b7e710e19af5dd362bf057872d5f91041ebfe82833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwb54s5n.0wl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DB6.tmp.bat

Filesize
161B

MD5
c7b8da8cd13079f1b9d5a36f0a45f946

SHA1
672a9291d0e19394082c6a04024972cf2737e2ad

SHA256
fba90d77a938601f37872827dc8732ba51b42c2606d2874796de5cdf2dbbf8f6

SHA512
6fba46cba9b93d02b4454b0739a19d690c3331e67c3f18d17887180f770358657a22402ef7627ba6f3672217561daa35f94e4b35d7ac4b380e9a97ad27017723

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security .exe

Filesize
63KB

MD5
97be07e4d8fa640d71aa049385d8bcc2

SHA1
cd21b0a98183abe177ce6b1a857f9b4166100b4d

SHA256
df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31

SHA512
23e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4

Download Submit
memory/1056-8-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

Filesize
10.8MB

Download
memory/1056-0-0x00007FFE400D3000-0x00007FFE400D5000-memory.dmp

Filesize
8KB

Download
memory/1056-3-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

Filesize
10.8MB

Download
memory/1056-2-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

Filesize
10.8MB

Download
memory/1056-1-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/1628-18-0x0000018350BA0000-0x0000018350BC2000-memory.dmp

Filesize
136KB

Download
memory/3048-41-0x000000001DDA0000-0x000000001DF28000-memory.dmp

Filesize
1.5MB

Download
memory/3048-46-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/3048-47-0x000000001D680000-0x000000001D6B4000-memory.dmp

Filesize
208KB

Download
memory/3048-40-0x000000001D4C0000-0x000000001D4F4000-memory.dmp

Filesize
208KB

Download
memory/3048-17-0x000000001B190000-0x000000001B1AE000-memory.dmp

Filesize
120KB

Download
memory/3048-16-0x0000000002860000-0x0000000002894000-memory.dmp

Filesize
208KB

Download
memory/3048-15-0x000000001D340000-0x000000001D3B6000-memory.dmp

Filesize
472KB

Download
memory/3048-188-0x000000001D040000-0x000000001D0BA000-memory.dmp

Filesize
488KB

Download