asyncrat | df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31

Analysis

max time kernel
93s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-11-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dependencies.exe
Size

63KB
MD5

97be07e4d8fa640d71aa049385d8bcc2
SHA1

cd21b0a98183abe177ce6b1a857f9b4166100b4d
SHA256

df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31
SHA512

23e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4
SSDEEP

768:b2yVjLFj7778BIC8A+XkaazcBRL5JTk1+T4KSBGHmDbD/ph0oX2f2/F5qVKGVxSD:jJ7TPdSJYUbdh9GMMKGOuodpqKmY7

Score

10^/10

asyncrat stealerium default collection discovery evasion persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

79.110.49.58:3232

Attributes

delay
1
install
true
install_file
Windows Security .exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Windows Security .exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Security .exe

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Windows Security .exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	Windows Security .exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x004900000002aaa3-11.dat	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

Windows Security .exe

pid	Process
4812	Windows Security .exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Windows Security .exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Windows Security .exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Windows Security .exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Windows Security .exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	ip-api.com
7	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DllHost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
5188	cmd.exe
4104	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Security .exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Windows Security .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Windows Security .exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1488	timeout.exe

Modifies registry class 5 IoCs

Processes:

BackgroundTransferHost.exeMiniSearchHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
4976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Dependencies.exeWindows Security .exe

pid	Process
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
5420	Dependencies.exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe
4812	Windows Security .exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Dependencies.exeWindows Security .exepowershell.exepowershell.exetaskmgr.exe

description	pid	Process
Token: SeDebugPrivilege	5420	Dependencies.exe
Token: SeDebugPrivilege	4812	Windows Security .exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4212	taskmgr.exe
Token: SeSystemProfilePrivilege	4212	taskmgr.exe
Token: SeCreateGlobalPrivilege	4212	taskmgr.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

taskmgr.exe

pid	Process
4212	taskmgr.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

taskmgr.exe

pid	Process
4212	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid	Process
4764	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Dependencies.execmd.execmd.exeWindows Security .execmd.execmd.exe

description	pid	Process	procid_target
PID 5420 wrote to memory of 5308	5420	Dependencies.exe	77
PID 5420 wrote to memory of 5308	5420	Dependencies.exe	77
PID 5420 wrote to memory of 1584	5420	Dependencies.exe	79
PID 5420 wrote to memory of 1584	5420	Dependencies.exe	79
PID 1584 wrote to memory of 1488	1584	cmd.exe	81
PID 1584 wrote to memory of 1488	1584	cmd.exe	81
PID 5308 wrote to memory of 4976	5308	cmd.exe	82
PID 5308 wrote to memory of 4976	5308	cmd.exe	82
PID 1584 wrote to memory of 4812	1584	cmd.exe	83
PID 1584 wrote to memory of 4812	1584	cmd.exe	83
PID 4812 wrote to memory of 3572	4812	Windows Security .exe	85
PID 4812 wrote to memory of 3572	4812	Windows Security .exe	85
PID 4812 wrote to memory of 4016	4812	Windows Security .exe	87
PID 4812 wrote to memory of 4016	4812	Windows Security .exe	87
PID 4812 wrote to memory of 5188	4812	Windows Security .exe	98
PID 4812 wrote to memory of 5188	4812	Windows Security .exe	98
PID 5188 wrote to memory of 4280	5188	cmd.exe	100
PID 5188 wrote to memory of 4280	5188	cmd.exe	100
PID 5188 wrote to memory of 4104	5188	cmd.exe	101
PID 5188 wrote to memory of 4104	5188	cmd.exe	101
PID 5188 wrote to memory of 2976	5188	cmd.exe	102
PID 5188 wrote to memory of 2976	5188	cmd.exe	102
PID 4812 wrote to memory of 4756	4812	Windows Security .exe	103
PID 4812 wrote to memory of 4756	4812	Windows Security .exe	103
PID 4756 wrote to memory of 3976	4756	cmd.exe	105
PID 4756 wrote to memory of 3976	4756	cmd.exe	105
PID 4756 wrote to memory of 2336	4756	cmd.exe	106
PID 4756 wrote to memory of 2336	4756	cmd.exe	106

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Windows Security .exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows Security .exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	Windows Security .exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

Windows Security .exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

outlook_win_path 1 IoCs

Processes:

Windows Security .exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Windows Security .exe

C:\Users\Admin\AppData\Local\Temp\Dependencies.exe
"C:\Users\Admin\AppData\Local\Temp\Dependencies.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5308
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows Security " /tr '"C:\Users\Admin\AppData\Roaming\Windows Security .exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp89F0.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1488
- - C:\Users\Admin\AppData\Roaming\Windows Security .exe
    "C:\Users\Admin\AppData\Roaming\Windows Security .exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Executes dropped EXE
    - Windows security modification
    - Accesses Microsoft Outlook profiles
    - Checks whether UAC is enabled
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    - outlook_office_path
    - outlook_win_path
    PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4016
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:5188
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4280
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4104
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:2976
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3976
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2336

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2080

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:4892

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4212

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5772

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\113b08c6-1a84-4142-b5b9-9cb3f71220cd.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b7443e89f0cb29d51ee6a257750e54d2

SHA1
84127eebf275e781d5276af6fc4d09c5a6bfb7b9

SHA256
8226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26

SHA512
446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgshhsla.edg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89F0.tmp.bat

Filesize
161B

MD5
2b679d934aa6116960a9067d0d92dc91

SHA1
8dac17ae83613e752aa5aeee26143d7238092973

SHA256
aa1938a2caae01f9804024d1e0caca6fb040ccf3b76e662cd788f9480347c2f4

SHA512
b3ab62737de75052df03b7084e08a3351b58f61f51d65cad000927c05eef62d24a3efb5b43bb6ab27cdf37774f9a5e0278931c07169b21f47d4c7885cc4afd74

Download Submit
C:\Users\Admin\AppData\Local\a843bc29e9067c054ad9793ef429af3d\Admin@FEBLIQTI_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\a843bc29e9067c054ad9793ef429af3d\Admin@FEBLIQTI_en-US\System\Process.txt

Filesize
530B

MD5
e8b9c537111aa7a76a73ec53cf66f0c9

SHA1
805d9ee8cb22125cdf9da70e0a7d3fcfdc5dda3c

SHA256
2d0c5a37c721040c2cf6326f0e8f45d4899cb1e36e0d1ced847eede4b31cf4d2

SHA512
e5024da6320e80a383f95defb4c998e78498eb4364dc044e797aa898b588a55dada882992a9322667721c82daafd7b0a332cd4f55b1376c5f7a5786ffb22a5e9

Download Submit
C:\Users\Admin\AppData\Local\a843bc29e9067c054ad9793ef429af3d\Admin@FEBLIQTI_en-US\System\Process.txt

Filesize
1KB

MD5
836a52f8b9cc5ada40422774c8303dd5

SHA1
27e2fffe9bdeea785a28b2e267f4ad2f65beafc7

SHA256
0f67da5bedf20e2352b17e414e34310f5f9c5e9e5295669ffe0b56c1ea1066ab

SHA512
423add540de63d9757c44599ff2ebc9ee55e57c51240f24dcd9ec4580e95e49f31bc32a0e9de14b08c36172ab4d5b6127263e40647c5d85b51439e948158c2c4

Download Submit
C:\Users\Admin\AppData\Local\a843bc29e9067c054ad9793ef429af3d\Admin@FEBLIQTI_en-US\System\Process.txt

Filesize
2KB

MD5
7e2bf37fe6905fc2aaa1d732279542ae

SHA1
7a718755c6bb2b342305517f9818208a35117813

SHA256
156aa8205193cce657fe59b22c0c81c503036516f9fd8ff3c9b988b8eb517ac4

SHA512
bd23c864234c9caecde47de658cf49a124c7b82290240e9f70f1fef937dc182d0bf58bfc96fc708e51168cb2c484534281c69e26027106081a657bbead2674f0

Download Submit
C:\Users\Admin\AppData\Local\a843bc29e9067c054ad9793ef429af3d\Admin@FEBLIQTI_en-US\System\Process.txt

Filesize
2KB

MD5
79afc884592703cd32d3b6af109a1be9

SHA1
ea97f75e65c6210c7f08ab084eae6aa8055cd91b

SHA256
ee165d5a393a818250f2698fd41bfe0ae0469321db2897096bf661cfdcd08510

SHA512
2abbff84f94f31fdb8cc2a85fac8a10c50612aaea5d0d6b900af62597b951133b2db2923daf20acc2c7c953f70b6b51d79afca2f34cef31607021874c2dc02e7

Download Submit
C:\Users\Admin\AppData\Local\a843bc29e9067c054ad9793ef429af3d\Admin@FEBLIQTI_en-US\System\Process.txt

Filesize
3KB

MD5
f465a48c3618cede2f9c6fc78c7e6675

SHA1
eadca163033e3ed8aea400c2c07a4e3f0dcbd221

SHA256
883ab5b2955fed43ed5f3b1d94fd6fbf731962e3f592643659ad94f46cd3353a

SHA512
4474dd78511197a51384daf698ed274c52f1d78729bcc3b8cbb382052a45aa9899081e5def08bd393c5edb7a378a0f01cd4874b8f28c73c05e851ffa538a294d

Download Submit
C:\Users\Admin\AppData\Local\a843bc29e9067c054ad9793ef429af3d\Admin@FEBLIQTI_en-US\System\Process.txt

Filesize
4KB

MD5
12e1582b9b6f72eade80c3605e596ffe

SHA1
f8aa253c5f9c71e9804f6975651bb3875447d2f9

SHA256
0f042d1119b8f9f37c3d8d7395e5517af5ec5b25b01e8eb9574f78d9512cdc19

SHA512
1a63b3f166300ef084e9a8ec3617c576a7c0082b7609beb5d12ae463ab24c954ac73f917ffe53eaa576b9224ced6fb2ffc30a3af7609e6f8a6337244e80c2bf1

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security .exe

Filesize
63KB

MD5
97be07e4d8fa640d71aa049385d8bcc2

SHA1
cd21b0a98183abe177ce6b1a857f9b4166100b4d

SHA256
df4e19980ecdf58f0a6562bad1e4929e30e21f4b3633f9f33ad4b86a5406ee31

SHA512
23e6b9ea22b2dead07d5b6baf076afcf747e8ba02df9afbc81ca3011f91035cf6d385c5a9dd5ae63fe6f95010ab928379baf4d55cbb04c4bbdcf246689e52cd4

Download Submit
memory/3572-23-0x000002741C980000-0x000002741C9A2000-memory.dmp

Filesize
136KB

Download
memory/4812-17-0x0000000002E30000-0x0000000002E4E000-memory.dmp

Filesize
120KB

Download
memory/4812-47-0x000000001DBC0000-0x000000001DD48000-memory.dmp

Filesize
1.5MB

Download
memory/4812-52-0x00000000014A0000-0x00000000014AA000-memory.dmp

Filesize
40KB

Download
memory/4812-46-0x000000001B900000-0x000000001B934000-memory.dmp

Filesize
208KB

Download
memory/4812-16-0x0000000002E00000-0x0000000002E34000-memory.dmp

Filesize
208KB

Download
memory/4812-15-0x000000001D2A0000-0x000000001D316000-memory.dmp

Filesize
472KB

Download
memory/4812-204-0x000000001D820000-0x000000001D89A000-memory.dmp

Filesize
488KB

Download
memory/5420-0-0x00007FF994253000-0x00007FF994255000-memory.dmp

Filesize
8KB

Download
memory/5420-1-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/5420-2-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/5420-3-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download
memory/5420-8-0x00007FF994250000-0x00007FF994D12000-memory.dmp

Filesize
10.8MB

Download