asyncrat | f65b4ac5a2e3791b5851ff09840e334a51169cee78a5c383f956cc11e912ece6

Analysis

max time kernel
149s
max time network
147s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-01-2025 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV2.09(rat).exe
Size

5.9MB
MD5

bbe4425a7b91d830ae36203ce3660a19
SHA1

147d8f6cd4b7694a6274cde567b4b94c51bc3b3a
SHA256

f65b4ac5a2e3791b5851ff09840e334a51169cee78a5c383f956cc11e912ece6
SHA512

a4e1957b5a829bd6a833fca9616e790f6fc976c35bc6110f259142415593a0369e5dc6ec45e3dc72b1ea3776d7a999beb77b80d80c36684391412e8beb4425e9
SSDEEP

98304:Voqb1QHJ2we9het0Un2reIgLxmqMBfiGJRkZqtVwCYWoOacfHM26PbF8qz16B8BB:VoMIJJeCwaxmZBfiGJRkZqtGCYTQMXF7

Score

10^/10

asyncrat gurcu default collection discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7674843264:AAGzWOldtG3GqsZObUVSOc6rpPUp0jvoUtc/getM

https://api.telegram.org/bot7674843264:AAGzWOldtG3GqsZObUVSOc6rpPUp0jvoUtc/sendMessage?chat_id=-1002262935377

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00280000000460c8-148.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	BootstrapperV2.09(rat).exe

Executes dropped EXE 7 IoCs

pid	Process
4948	1.exe
3680	BootstrapperV2.08.exe
3472	svchost.exe
2040	svchost.exe
2732	svchost.exe
4440	svchost.exe
4472	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
17	discord.com
21	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	icanhazip.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250101183320.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\eb89e918-ebed-45fb-b288-7b9a84330cb0.tmp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5184	cmd.exe
5252	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6004	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1192	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-114766061-2901990051-2372745435-1000\{9BA8F68C-266E-4EFD-B3E9-80FBFFFBD46C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
2732	msedge.exe
2732	msedge.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
4948	1.exe
2832	identity_helper.exe
2832	identity_helper.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	1.exe
Token: SeIncreaseQuotaPrivilege	3472	svchost.exe
Token: SeSecurityPrivilege	3472	svchost.exe
Token: SeTakeOwnershipPrivilege	3472	svchost.exe
Token: SeLoadDriverPrivilege	3472	svchost.exe
Token: SeSystemProfilePrivilege	3472	svchost.exe
Token: SeSystemtimePrivilege	3472	svchost.exe
Token: SeProfSingleProcessPrivilege	3472	svchost.exe
Token: SeIncBasePriorityPrivilege	3472	svchost.exe
Token: SeCreatePagefilePrivilege	3472	svchost.exe
Token: SeBackupPrivilege	3472	svchost.exe
Token: SeRestorePrivilege	3472	svchost.exe
Token: SeShutdownPrivilege	3472	svchost.exe
Token: SeDebugPrivilege	3472	svchost.exe
Token: SeSystemEnvironmentPrivilege	3472	svchost.exe
Token: SeRemoteShutdownPrivilege	3472	svchost.exe
Token: SeUndockPrivilege	3472	svchost.exe
Token: SeManageVolumePrivilege	3472	svchost.exe
Token: 33	3472	svchost.exe
Token: 34	3472	svchost.exe
Token: 35	3472	svchost.exe
Token: 36	3472	svchost.exe
Token: SeIncreaseQuotaPrivilege	2040	svchost.exe
Token: SeSecurityPrivilege	2040	svchost.exe
Token: SeTakeOwnershipPrivilege	2040	svchost.exe
Token: SeLoadDriverPrivilege	2040	svchost.exe
Token: SeSystemProfilePrivilege	2040	svchost.exe
Token: SeSystemtimePrivilege	2040	svchost.exe
Token: SeProfSingleProcessPrivilege	2040	svchost.exe
Token: SeIncBasePriorityPrivilege	2040	svchost.exe
Token: SeCreatePagefilePrivilege	2040	svchost.exe
Token: SeBackupPrivilege	2040	svchost.exe
Token: SeRestorePrivilege	2040	svchost.exe
Token: SeShutdownPrivilege	2040	svchost.exe
Token: SeDebugPrivilege	2040	svchost.exe
Token: SeSystemEnvironmentPrivilege	2040	svchost.exe
Token: SeRemoteShutdownPrivilege	2040	svchost.exe
Token: SeUndockPrivilege	2040	svchost.exe
Token: SeManageVolumePrivilege	2040	svchost.exe
Token: 33	2040	svchost.exe
Token: 34	2040	svchost.exe
Token: 35	2040	svchost.exe
Token: 36	2040	svchost.exe
Token: SeSecurityPrivilege	5276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	svchost.exe
Token: SeSecurityPrivilege	2732	svchost.exe
Token: SeTakeOwnershipPrivilege	2732	svchost.exe
Token: SeLoadDriverPrivilege	2732	svchost.exe
Token: SeSystemProfilePrivilege	2732	svchost.exe
Token: SeSystemtimePrivilege	2732	svchost.exe
Token: SeProfSingleProcessPrivilege	2732	svchost.exe
Token: SeIncBasePriorityPrivilege	2732	svchost.exe
Token: SeCreatePagefilePrivilege	2732	svchost.exe
Token: SeBackupPrivilege	2732	svchost.exe
Token: SeRestorePrivilege	2732	svchost.exe
Token: SeShutdownPrivilege	2732	svchost.exe
Token: SeDebugPrivilege	2732	svchost.exe
Token: SeSystemEnvironmentPrivilege	2732	svchost.exe
Token: SeRemoteShutdownPrivilege	2732	svchost.exe
Token: SeUndockPrivilege	2732	svchost.exe
Token: SeManageVolumePrivilege	2732	svchost.exe
Token: 33	2732	svchost.exe
Token: 34	2732	svchost.exe
Token: 35	2732	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3584	msedge.exe
3584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 4948	4996	BootstrapperV2.09(rat).exe	82
PID 4996 wrote to memory of 4948	4996	BootstrapperV2.09(rat).exe	82
PID 4996 wrote to memory of 3680	4996	BootstrapperV2.09(rat).exe	83
PID 4996 wrote to memory of 3680	4996	BootstrapperV2.09(rat).exe	83
PID 3680 wrote to memory of 3584	3680	BootstrapperV2.08.exe	87
PID 3680 wrote to memory of 3584	3680	BootstrapperV2.08.exe	87
PID 3584 wrote to memory of 1088	3584	msedge.exe	88
PID 3584 wrote to memory of 1088	3584	msedge.exe	88
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 2264	3584	msedge.exe	89
PID 3584 wrote to memory of 1996	3584	msedge.exe	90
PID 3584 wrote to memory of 1996	3584	msedge.exe	90
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91
PID 3584 wrote to memory of 2244	3584	msedge.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.09(rat).exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.09(rat).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4948
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5184
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5236
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5252
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:5280
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:5620
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5756
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5780
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:4440
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:4472
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\004229fb-4a04-4878-9920-0faf05e749ad.bat"
    3⤵
    PID:4524
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4948
      4⤵
      Kills process with taskkill
      PID:1192
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:6004
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.08.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.08.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/invite/8PgspRYAQu
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc019b46f8,0x7ffc019b4708,0x7ffc019b4718
      4⤵
      PID:1088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
      4⤵
      PID:2264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
      4⤵
      PID:2244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:2448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
      4⤵
      PID:3272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5572 /prefetch:8
      4⤵
      PID:1588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5568 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
      4⤵
      PID:3204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
      4⤵
      PID:5580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:5612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6383d5460,0x7ff6383d5470,0x7ff6383d5480
        5⤵
        
        PID:5672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
      4⤵
      PID:5420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
      4⤵
      PID:5308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,15021654786896016706,3622412691614674921,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3160 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de0e1d3019517b3b005d7731bbb8a355

SHA1
ddf1f15c241f72585595cd30de12c4c3ce4e2f97

SHA256
4ceef5b8daa774c456edd70e46668746b8fa086bb9515ed5975e6737e40dc3f0

SHA512
84f7a069fd6f0713fdb9d35f17839b8755671047be477e49102f5777e8ebeeaa6421d3816727dd37f1241f4653c063fb0823ae7bab1d3001635c5075c2ba464d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
913cd25b0de81960e841c81a7bee8b19

SHA1
2c4bf2a4de37c06bea3e39898c9a98ee611b5455

SHA256
b01953744098bc035aee2a21976607df9352ca42abc3e01d769e2ceee1c9bd5f

SHA512
e5a879cdd1f83d6b6ee13117924522c967e2413c29722b5507b632514e28a0defbbcc942e7176f819e05df7bef37ca5133ba5efeb67a91c34b3736eec05ac8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
54e4e4d35c471a2ae9f94fabba9e43ec

SHA1
0c9044c1699ce8160b087be838f68560d37efed2

SHA256
5cb30ce5f7306aef0e55698676baf84936cd5118c54f403431c5d6914f212540

SHA512
8fd3a72a6fef4ab4087d9736b2b6ca3604632ad35fd4cb1ffa218e9b27942d43675911ebc9fe454e108e39851ddd2db38ca717b2c8d4753c8a1c2f7a5302b197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
c1e6286618b2f6d66b1607a24cf13245

SHA1
e7f993fce39391bb60caa2731e8284de92379fe4

SHA256
2757c4e0dc1448cd5ea282f797d6dacd99808dab51de975dcf1ac3847bc04a29

SHA512
d7b7310a7a17934d5b0db589087a1097af2085990ab30689776aced8d23ce7d0017150a073c42e9aa87ff545e78e9680ea6e008b3fe00584f55241dd7a2a6915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
ff9f825925f89085b6c4809612c14b39

SHA1
3cd291d4b9d7bfff93177f074aa75d7034ce0d4e

SHA256
118d159f05b7fb0b7424c2374470d9e77857047f4a0663e944e2363ecf04b0fa

SHA512
735ec4fd0c01534dd09a61b341ed00a0bbb7488c1e267d736041d96e0f6a62c8b4090ded41986464cf82b472831c6d10f9fbf688e20340f6c293ba5332e05d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58a488.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
6f20c4c5f1b39b610ed818ed6f69f0ff

SHA1
31701254a382a4486038183745ee9dd9c00d8682

SHA256
f883cf8f0c7a18e0ec6248b82958c90c172d6db0792211e4eaea85201be70a79

SHA512
dda7fbcb6cbcf77b586c683aaa28b12e100fe46eb56b3840969f586abae11cf8fc0f5fd4d1f78bfa44e560cbc19027bc40c7cd27d2874655c6fda4a011ae7110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
89b21ea4c3e276994a427c9c6579601a

SHA1
ae93209f5c8b4bab8707ce72f46f4611b71a90a5

SHA256
dc0c62b9c5241eba0769063ee5dd471d18c6853e94e81f3dcb71c6ed666b6f38

SHA512
60fa4ad68c243272a812aad0ceb3dbd91b25cc1b6696a8d513af668f58312142ab207c2bb9315cfd85832a27aca2d4079ab696aceab388b846335d773dbe3603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0888d6f7fc84152ea19deffa10006cc2

SHA1
fd573d27e76735adfdf74926c9b05039def3a535

SHA256
0020725f56d84b3b97b15cd809d6927f9cbb9ba2ff0973d821605ee616e78df0

SHA512
8e12b97c91cf1a0360f019404e7e9a1098afa55981296b31b91f5c77251bafd5afa7c3aacbff20d95b18e5717f18e949cb252fb9f43878a54540f962b33e779a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
cc420cc45f686797b102b94f6bfda2ee

SHA1
2b0b5d4848cc346c341cbd51d5fc6ce8a08910e7

SHA256
23f845e57c6718a65f93b97ac9c425d7abaad84f75e77e662c4df298305b9a19

SHA512
2410ec9ef56e8ad547219c4ffde2d02ab4fe8ea668c51f6519e224805770375427a4db95eab5e5f062ebdf36323c5bf03d1633508776fa553da2e8c408846092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
832b664db8c95c83ff39b95fac93bb5b

SHA1
9d244b3081440efd5dcb15c341b2e790e5af359c

SHA256
d1d1d00928970105a43609aa8e2516b41e9473ac285cb591fecaf74b69213487

SHA512
0d46d177ca250277b341f04e3e4565b048069a14993bd1d89d38d03ac8cc4b499dcb2c181bd86f12f903054923a3bb47787d229ee975d900dfd6297db22c246b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2f52cd79ae12db2206f3f2eb2868138c

SHA1
61fa6926d810e7eecd1b711bc0f53991e96b9869

SHA256
a38d3ddcf13deb0ed9f4db3132a5cf54d98ce4d5ec3712945bbda43f42b94fea

SHA512
f625b5aea85ecd3e57cc54e1851b4a0ae89724818fc49625cc46964cbb1cc393a92b89bcf2d0520b939f90cf15444928a14901bd166229648035e569004e2831

Download Submit
C:\Users\Admin\AppData\Local\Temp\004229fb-4a04-4878-9920-0faf05e749ad.bat

Filesize
152B

MD5
1e52428db8b10876da0e84c8d49457fc

SHA1
4fcbef0478b7b90e52eca8522b5e02a8c766dc72

SHA256
ab06cba6dcf3ccf8a5ff7012878fd790bbfe29e9db67663dd4bca491c8d79638

SHA512
752ff37b9bb2a10ed80208cdd086b14314a4089db0a18b74bf20ac2b5f498fb19df7febbcac75cdd117c0e60be5fc22df644a5342bfdd0bda18b3a74a7b565a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
3.6MB

MD5
67fa781a0df1aea8159a22c0390023f3

SHA1
d3641ee05ddd0a652a9004894f09b484336f115e

SHA256
c59878f34eb08565dde137d3da8f37185c07b01de149b4c210497703c737605a

SHA512
2f7fb249fd1e4097928adffd40b5131002b6fb47a26248d92f0781f6510dbb4e382febd2bfc7755970baf2f4c90d48591ca3edc08d10ed0491df9ee4575eff2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.08.exe

Filesize
2.9MB

MD5
3f960b403cd616c9f59b3c22fc69aeca

SHA1
c9878d8dd7cada17525d0fb41626ef10387cb624

SHA256
8d0e9176ab99c1c4442f8529a5e06a84cf4573b79d21c15022f825ad9c36c84a

SHA512
bd48219ce56276114a411d4a3b19ff723cf20fe75571faebd43c2567b2a6cc73b77ffe5858ac5f80cec32d79ae3df84ebfc42b80b38af14691727f2c08399761

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
690B

MD5
4501d51432de377f9533279e4182e2c7

SHA1
e31e923b41a95d1593f0b18cdaaeab866874d969

SHA256
7fa9eb712d715fbea90d011004a8cbef0eb7a7d72a29a7bcc8397795b2fe0296

SHA512
75b5b7b9d18f78f560e5b9bd15f3b85d0650b8d1c1eaa8f9f2f89a30896c0a2cd799ae300cab36861ed6a2fc2ee047408af33e93f542d20e32d247fd8731837f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
1KB

MD5
c513539dc5db762f0d8ca763e4cf9a10

SHA1
40e9be0eba307ab7f07927e99c78cc189d287332

SHA256
1eda8d38012c91cc8fc2aa9f069c5f9a5f4ee4be04eaa8082362f316e26ce67a

SHA512
148366b2fc2aca6347cb85020e561cffbfa7985017f271a436ad662823e3fecbbca8e43e4839d170d85c8aea85da1fcab6edace40191247a1370cfd4ef9df505

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
61b380f4a903aeb690dab0e6c8f23ddc

SHA1
0f96f80e376d3151d8c34f47b310a3d667e89b1e

SHA256
8a71b82e5e97623473a5dbb617db2ccb9c7664f4f5d511d15083949ffbbdf944

SHA512
216a17866415bafb6be054fd450041d2db3869e2548d850e50f3fad427853ed5a57a58a49a06e1d6a00e5aa2619f2597d8d2c25901f880a476ee4a91262c6d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
5KB

MD5
f625bd9769f3ced290037d03d2678087

SHA1
12a2a94a9e19599b51dae806a4d73a8950e7dd3d

SHA256
065c64bf6f7176fc24f5705119c559cd3444ce53032960cf6c50eb36d4c7cc16

SHA512
8be9b5d54e19f795587547a2cba65e4c3a45533bab2f7f4efc01e672b0c94c2d3bec1c9b5ad35b4ba29c538664eb4b9c4d2ff83f3c71675aad57f0f41cd289b5

Download Submit
C:\Users\Admin\AppData\Local\db180f38e1494d43b201233bdf34c3ee\Admin@DGIIMQCP_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
220B

MD5
2ab1fd921b6c195114e506007ba9fe05

SHA1
90033c6ee56461ca959482c9692cf6cfb6c5c6af

SHA256
c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

SHA512
4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

Download Submit
C:\Users\Admin\AppData\Local\db180f38e1494d43b201233bdf34c3ee\Admin@DGIIMQCP_en-US\System\Apps.txt

Filesize
6KB

MD5
3a369126adb05a2596cafba28131c27a

SHA1
2756b6b2f27ce049d93361163bf208448cd98955

SHA256
ec0483822d84f2da42102850d330e923023713f9e8bead246b365d5a48ebbc12

SHA512
44132ca7712d77991ee8c00256c533c2890beba91b0dd1d8a14b2ccea378188a3d5b072bd289d023f1f3b13fffc8110a168479e5fb844386355951f9cd62d614

Download Submit
C:\Users\Admin\AppData\Local\db180f38e1494d43b201233bdf34c3ee\Admin@DGIIMQCP_en-US\System\Process.txt

Filesize
712B

MD5
7e301b577574d5e9093580574dbb7ccf

SHA1
83b533ebdf95191dc524611ff2661d42469fefb3

SHA256
83a6e75f6cb049603301819c0abe95fb9311ee825141d7cb7968cfe2f6c89751

SHA512
e1ed1503489995bc6e21deed66e29f837a16586994f2273fd861654f1f21f2230e8088ac4ef5167cf8e2fbb59062122d91ba46e01055f392c572f4b29abb8960

Download Submit
C:\Users\Admin\AppData\Local\db180f38e1494d43b201233bdf34c3ee\Admin@DGIIMQCP_en-US\System\Process.txt

Filesize
1KB

MD5
95b25d2d1a3cb0a1c7d92b8feb25faaa

SHA1
8182c7107adab135fe8d3cfc69463d9ff3ecce44

SHA256
2058a0a9e9a52a857bc8ebf27c0cb0d7b6b01e4c2da92a270b90883c1bacd00e

SHA512
1c350fdbf3bdc53efa10cb4be0f26eee789398a6f218972a8ac5dedd43d5eabe7260b66093be5257dad49cb5f7650ff7ce57628eb8142f082d82704020ffae1d

Download Submit
C:\Users\Admin\AppData\Local\db180f38e1494d43b201233bdf34c3ee\Admin@DGIIMQCP_en-US\System\Process.txt

Filesize
3KB

MD5
0c44cb880d85320b00e8c84ccdd04183

SHA1
8d422496b52ab2ba7fd2cc9f324b9a260e77e6c5

SHA256
3d62a64a8356fee3b5725e259297f8afe35b9b4bbf4de4cf30a8b5eaff80c09c

SHA512
a7d92fee1343dafbdf2c5f471c500a65869e6ccd6951ca20a05ae911282732039cfcc6ec898150be93ac6a7bef956f13fcc7c2bdea57942e4fcc9cb85291f3ca

Download Submit
C:\Users\Admin\AppData\Local\db180f38e1494d43b201233bdf34c3ee\Admin@DGIIMQCP_en-US\System\Process.txt

Filesize
4KB

MD5
df48a7c4916c5a857397d4b39318117c

SHA1
1ec3a14cba5bc2746816b3859e5a3b0e9e2ab7c9

SHA256
6ac63b5816a220d952f22651e89d81bd69945cf2a7e6d8d70e05be7824388095

SHA512
eec61f53aeceee707eea9fdf9d1073c5afd9a282ed85139bcc6571f9fa0c41db8d7369e6cd5d16a6f196fad4c2c0a332eda90ea989f693471a27310b3fe048e3

Download Submit
C:\Users\Admin\AppData\Local\db180f38e1494d43b201233bdf34c3ee\msgid.dat

Filesize
2B

MD5
44f683a84163b3523afe57c2e008bc8c

SHA1
511a418e72591eb7e33f703f04c3fa16df6c90bd

SHA256
81b8a03f97e8787c53fe1a86bda042b6f0de9b0ec9c09357e107c99ba4d6948a

SHA512
8f93f4613808d16b19cc5b565de55835b96e474d3b07f0cb1e583c6f89498497aca7b67cd455116072fccbbe915a165911ac1fbbf31cc8617d099dd8df83f211

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1ba7aed58abada8ee7dbfc6113ee30fe

SHA1
c82b177bf9715eeed3b728f249d9b54652048fbe

SHA256
e494e3246c079ef933e43ecbd398ecd68e91ecbe9a6cd57814e9a84de31a597d

SHA512
2b086c788190c7c68884a8bf4605b5fccdf7002958c4a66e5646bc2a552d0b3d34465e03b37d48eae3e5fe4686b08d9bbfcabb1d02306baada337940d96f2e6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
85c5fce2a46417b5701079bd3ba0313b

SHA1
88b7b8b3d40ffde21547a095ea656b4793eb20a6

SHA256
53308244946ee13adbb40a14654275f1a7b58297cd2c35bc68018ead55601e4e

SHA512
4c88334878302c528f2b8512556d8eb3ef86504d2cd4b048d474779759df13f60a2146bbb5712ccaf4ddae1fdd95de69790a83f5c1eca3d099d8ca91334e0eb3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
63KB

MD5
67ca41c73d556cc4cfc67fc5b425bbbd

SHA1
ada7f812cd581c493630eca83bf38c0f8b32b186

SHA256
23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

SHA512
0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

Download Submit
memory/3472-165-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/3680-40-0x000001A8749D0000-0x000001A8749DE000-memory.dmp

Filesize
56KB

Download
memory/3680-37-0x000001A86CF90000-0x000001A86CFA0000-memory.dmp

Filesize
64KB

Download
memory/3680-39-0x000001A874A10000-0x000001A874A48000-memory.dmp

Filesize
224KB

Download
memory/3680-41-0x000001A8758A0000-0x000001A8759A0000-memory.dmp

Filesize
1024KB

Download
memory/3680-44-0x000001A874A80000-0x000001A874A88000-memory.dmp

Filesize
32KB

Download
memory/3680-45-0x000001A8759A0000-0x000001A8759B6000-memory.dmp

Filesize
88KB

Download
memory/3680-47-0x000001A8749E0000-0x000001A8749EA000-memory.dmp

Filesize
40KB

Download
memory/3680-38-0x000001A874430000-0x000001A874438000-memory.dmp

Filesize
32KB

Download
memory/3680-48-0x000001A8759C0000-0x000001A8759C8000-memory.dmp

Filesize
32KB

Download
memory/3680-46-0x000001A874A00000-0x000001A874A0A000-memory.dmp

Filesize
40KB

Download
memory/3680-42-0x000001A8749F0000-0x000001A8749FA000-memory.dmp

Filesize
40KB

Download
memory/3680-43-0x000001A874A50000-0x000001A874A76000-memory.dmp

Filesize
152KB

Download
memory/3680-34-0x000001A86C870000-0x000001A86CB52000-memory.dmp

Filesize
2.9MB

Download
memory/4948-18-0x0000026A924A0000-0x0000026A9283A000-memory.dmp

Filesize
3.6MB

Download
memory/4948-800-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-684-0x0000026AAD840000-0x0000026AAD884000-memory.dmp

Filesize
272KB

Download
memory/4948-685-0x0000026AAD880000-0x0000026AAD89A000-memory.dmp

Filesize
104KB

Download
memory/4948-737-0x0000026AAD8A0000-0x0000026AAD952000-memory.dmp

Filesize
712KB

Download
memory/4948-406-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-33-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-738-0x0000026AAD950000-0x0000026AAD972000-memory.dmp

Filesize
136KB

Download
memory/4948-758-0x0000026AAD980000-0x0000026AADA20000-memory.dmp

Filesize
640KB

Download
memory/4948-36-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-486-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4996-35-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4996-1-0x0000000000420000-0x0000000000A06000-memory.dmp

Filesize
5.9MB

Download
memory/4996-3-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4996-0-0x00007FFC07BE3000-0x00007FFC07BE5000-memory.dmp

Filesize
8KB

Download