asyncrat | 5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847.ps1
Size

7.7MB
MD5

aa2034838226e4fa458cb479330d3df1
SHA1

5d17be875fcb82a808c5314c20a27f221b787c48
SHA256

5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847
SHA512

01d80e3c1e65881882ca47c7967eb78613aa50de1cb0869545206410d1edab6b15de389f2f4372a3351395692e792a5c7c6cc002db1ce0f12d49da905c998946
SSDEEP

24576:cfn0m/OPb9o/Ha4KZZQLFq487s/0H+VXQ5qDrtj6Bnoi4LD2/Qy4IyQr+KJn04vk:Y

Score

10^/10

asyncrat default discovery evasion execution rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://onedrive.live.com/Download?cid=8BDBA39CCF6B0487&resid=8BDBA39CCF6B0487%21115&authkey=AKzKYXDKF87dXao

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

antivirus-ssl.myiphost.com:195

Mutex

AsyncMutex_6SI8OkLrx

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 920 set thread context of 4920	920	powershell.exe	128

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3580	powershell.exe
4140	powershell.exe
968	powershell.exe
2768	powershell.exe
4780	powershell.exe
920	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1848	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3580	powershell.exe
3580	powershell.exe
4140	powershell.exe
4140	powershell.exe
968	powershell.exe
968	powershell.exe
2768	powershell.exe
2768	powershell.exe
4780	powershell.exe
4780	powershell.exe
920	powershell.exe
920	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 1984	3580	powershell.exe	84
PID 3580 wrote to memory of 1984	3580	powershell.exe	84
PID 1984 wrote to memory of 4140	1984	WScript.exe	85
PID 1984 wrote to memory of 4140	1984	WScript.exe	85
PID 4140 wrote to memory of 2212	4140	powershell.exe	87
PID 4140 wrote to memory of 2212	4140	powershell.exe	87
PID 4140 wrote to memory of 1704	4140	powershell.exe	88
PID 4140 wrote to memory of 1704	4140	powershell.exe	88
PID 2212 wrote to memory of 4456	2212	WScript.exe	89
PID 2212 wrote to memory of 4456	2212	WScript.exe	89
PID 4456 wrote to memory of 968	4456	cmd.exe	91
PID 4456 wrote to memory of 968	4456	cmd.exe	91
PID 968 wrote to memory of 772	968	powershell.exe	92
PID 968 wrote to memory of 772	968	powershell.exe	92
PID 1900 wrote to memory of 5088	1900	mshta.exe	95
PID 1900 wrote to memory of 5088	1900	mshta.exe	95
PID 5088 wrote to memory of 952	5088	cmd.exe	98
PID 5088 wrote to memory of 952	5088	cmd.exe	98
PID 4568 wrote to memory of 1848	4568	mshta.exe	99
PID 4568 wrote to memory of 1848	4568	mshta.exe	99
PID 952 wrote to memory of 1980	952	WScript.exe	101
PID 952 wrote to memory of 1980	952	WScript.exe	101
PID 1980 wrote to memory of 2768	1980	cmd.exe	105
PID 1980 wrote to memory of 2768	1980	cmd.exe	105
PID 2100 wrote to memory of 4780	2100	WScript.exe	123
PID 2100 wrote to memory of 4780	2100	WScript.exe	123
PID 4428 wrote to memory of 920	4428	WScript.exe	126
PID 4428 wrote to memory of 920	4428	WScript.exe	126
PID 920 wrote to memory of 4920	920	powershell.exe	128
PID 920 wrote to memory of 4920	920	powershell.exe	128
PID 920 wrote to memory of 4920	920	powershell.exe	128
PID 920 wrote to memory of 4920	920	powershell.exe	128
PID 920 wrote to memory of 4920	920	powershell.exe	128
PID 920 wrote to memory of 4920	920	powershell.exe	128
PID 920 wrote to memory of 4920	920	powershell.exe	128
PID 920 wrote to memory of 4920	920	powershell.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\sys.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\sys.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\a.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Favorites\a.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\b.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\system32\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\p4yjdxpp.inf
        7⤵
        
        PID:772
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn administartor /sc minute /st 00:10 /tr C:\Users\Admin\Favorites\System.vbs
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1704

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd.exe /c start """""""" """"%USERPROFILE%\Favorites\Assembly.vbs"""""",0:close")
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\Favorites\Assembly.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\Assembly.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Favorites\x.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\x.ps1
        5⤵
        UAC bypass
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
  2⤵
  - Suspicious use of SetThreadContext
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa187cac09f051e24146ad549a0f08a6

SHA1
2ef7fae3652bb838766627fa6584a6e3b5e74ff3

SHA256
7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f

SHA512
960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02a289d5e6f75385c95430a6e63b0cde

SHA1
4bd8a93b879c5f51884dec791eab74b002659c98

SHA256
fabaf00828eb3d3bc829b863949f3e0fa43b2093dd2415fe920d160195f15698

SHA512
01e4dcee0635ce3e940ab9611160c0a30fdc34ebd6af5d4868345aa9702f59f7b3484e389e6ba4ba0ac4e0035c48779c722b968272240080b4cb1aa78d38c332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmvgeams.oj2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Favorites\Assembly.vbs

Filesize
331B

MD5
66d268811c166c82aaef2f52450b0c73

SHA1
f7810c1003732c440b986718a8217dd733e88f74

SHA256
581df8170200c95d38ce78eba4e9942d47cad443bbc0148954e48df04eec3b34

SHA512
36de3a5f59ee7a531832ae7e43997a3019ad8a15b0d1b321e589a85d77af27dab80b90a0ef5c978c4fffcc4d32fe8d870f60e9cf3e5bff302e4292bfc6196830

Download Submit
C:\Users\Admin\Favorites\System.vbs

Filesize
121B

MD5
dada8407cf4051919362d16a6d735cde

SHA1
8a2788926f97dbd59c99ad51b3383c59992c6c2e

SHA256
ee512a4266049b505b2b5c6c4c7bd66baadd37eda61bfe7f31f6cfcc1c955a77

SHA512
42c6b1fac8502e3b21cbd6cda11601afc55ca539db03667eec7c839bc33c70ed1a6aeba5a3c9684951143658b17183c2782bec8a0108b345c0ac2aebdaa8fc9f

Download Submit
C:\Users\Admin\Favorites\UAC-B.dll

Filesize
11KB

MD5
cc6ba6fc273dbfbb5c9698c0cf4719b9

SHA1
a2b3433b728b0874ec69d8a629d5f0dd05c0946d

SHA256
320316cdda2aa0e8709472a2b8eb8debcd0f8bb6f9af4d4d4b3bc67068ceebe7

SHA512
fe2fe2f150fbf619dd7616c86c93a42446b7c915b92fb865971dcf7dd595c6483da7386ce40b99802dc0942068bd1703821e0e3b15a6ebe557619cf6fa413c61

Download Submit
C:\Users\Admin\Favorites\a.bat

Filesize
86B

MD5
4625a049cd6ea721b706699ab3c36dff

SHA1
dbb82c9e8cb7bdcf617e7c4e158d031275b5ec24

SHA256
c751a3cb67ab1c75f1de6e24b7193123cc815524c538973110d1f6027da24dc0

SHA512
35674c3c1d6c449b3716ddf2ca8733e255a8f642723186a847694fb936b50a91e6bd7ab7f6edf1489592a583109739a4f0c12769823e2fc163860eeb7004b6c0

Download Submit
C:\Users\Admin\Favorites\a.vbs

Filesize
485B

MD5
5ce49e20c572f2b6d4b43fc61a6906ec

SHA1
170185b8ab9fc4749f28e5796999c23b50be89dc

SHA256
d6a43aad0aa8e510f01409921c8b0b5c8d93d51d1f7f39340db775c164686412

SHA512
c49e14c094e4d5e108aa50889a9fb06428a3d7a1f74d868c9b7d37f35658a64ea205b00681ad83aef428113fdf6fead8ef98dd1e6b38d84b8306765025c2e8e3

Download Submit
C:\Users\Admin\Favorites\b.ps1

Filesize
173B

MD5
e1d9cbc41ffacef02695df17824a82e0

SHA1
970ae087b8a3d11fb3e2a9b8de1592a166436fa7

SHA256
61571d1fd0000c02eef19b7dd6e452e2f9eba2e947f4c96d781e79d35802043f

SHA512
3b4034b2072a309adeb1af8b540023791262915f4b1347f4aa27f8aedcbbb6e1126c1a4d5f1db1ce2ad5638d24d7ba3025a8451c291241db2f2a99b0832f620a

Download Submit
C:\Users\Admin\Favorites\micro.ps1

Filesize
444KB

MD5
33e535c339dfe5328e4f6244151a6938

SHA1
24da1a168d3196928278d737cb01e6ddb3958e7f

SHA256
6e55e21f7d21c41dc3635782947a3bcbb60ebf8e047048bcac537150c28f4735

SHA512
81a764be599c62f11767cb5a23bc7dd3ed91ec1640c8de16504523921829c7f000491b19728c74a0ea074d501fe582e6eb1048ccc55e632b0d6163daccda3122

Download Submit
C:\Users\Admin\Favorites\micro.ps1

Filesize
889KB

MD5
6aebe5e40338074dcdf1a2fdf5ec052c

SHA1
0affad0eab774562a022100f11c367e83b72c4b2

SHA256
03b5c1eab769693201ca761bd2050ddd7bad82925fa19015701560aa05e5c296

SHA512
7f7ac71e80557184ea78f75d1f436a9f4808e4f0bf555fe6fd4a924b1f982931c0c8a7345df6df717fe99b60534e948e5994acdeab172c5a778ecdf99eda4774

Download Submit
C:\Users\Admin\Favorites\sys.ps1

Filesize
19KB

MD5
bb0c7df40c2493ce9325882fc7d4b499

SHA1
e23d118eb3eeb81e22b5e110705f37fa8cd0d133

SHA256
6ab29a186284082a8e82a5a28c1f994af22d365e67b8c43f6a39389f08998dd4

SHA512
a220c8f21c8fd4e98b76866fb32f898d62e8828f70fdfe4cae61263341fb1436c51e6a7cd394a0e3d6d1e5348e8a3a7b6ca1315bd200fb311c9476e56f44aa03

Download Submit
C:\Users\Admin\Favorites\sys.vbs

Filesize
119B

MD5
a8c65c2b9b22070a4d49894328b313ed

SHA1
4518f72c768e128118b9ba32b27c4b083e2b500c

SHA256
dd078ad41f7f10601742a499715ea9ec9250b327c8875b5be5ae3cd34e629f7c

SHA512
ab056005c9c49d62b37c551c18fd11ec9fef3de0b4e0e5fdad8c965737445b439200fdbef94544c6a65a8ed299d870a01229f09f0c2eecb793afa47de5affc4b

Download Submit
C:\Users\Admin\Favorites\x.bat

Filesize
86B

MD5
03fc58bceab448c9f183fbe86fed1f11

SHA1
07f3d54b0b40755e8f58f5fdab95049def6578e3

SHA256
6062f0e764ccd855b61ba49720065dfd6f6c6864c4eb1e9dce95ba8a293fd756

SHA512
c0e9aec7a6c5aaae3b018d44f1fbdc1939026ce16fad20211a0521e3db9e470d842508b7d2167672e1585bafeb4b2f1fe694ca96ddb9137ff9e5d3b4ca53ea4f

Download Submit
C:\Users\Admin\Favorites\x.ps1

Filesize
567B

MD5
e9859d3134c68db3134a6ca7df484344

SHA1
f4eec5ee9aa11a82d19bdb78a174c574669fd1d8

SHA256
a4aaf6c64969788732b20c79c1299719b84a52eddda13778a672195bbfba4a6c

SHA512
47982ddf074418c350790f5f7d53edddbbb47e7768939ebf88f4812b01f241c8bff509dbd9a8e6232eb6ec7f8b0344a1a59474ea45da0c80af9f04ba21498cdb

Download Submit
C:\Windows\temp\p4yjdxpp.inf

Filesize
834B

MD5
09c0056318d62ee84963c66ae83d6c1b

SHA1
625936963d4a0059daff7222a1628198be9b7a4f

SHA256
25b2a55bade39fe6d90e0fb06068062a95af522f62d743454ffa4ddd478781d8

SHA512
b03301fcafbc905ac7724b5ee878208c4c7dc039b02edcfc00e51742c868ab4cf3f830dbbe52b314ee24f8d87f39b6c9eb3e6c188ddc75a9b52f7dfab85cb2d0

Download Submit
memory/920-111-0x000001C974B60000-0x000001C974B86000-memory.dmp

Filesize
152KB

Download
memory/968-65-0x000001E997FA0000-0x000001E997FAA000-memory.dmp

Filesize
40KB

Download
memory/3580-27-0x0000025A6A340000-0x0000025A6A55C000-memory.dmp

Filesize
2.1MB

Download
memory/3580-11-0x00007FF9CFB50000-0x00007FF9D0611000-memory.dmp

Filesize
10.8MB

Download
memory/3580-12-0x00007FF9CFB50000-0x00007FF9D0611000-memory.dmp

Filesize
10.8MB

Download
memory/3580-10-0x0000025A6A1D0000-0x0000025A6A1F2000-memory.dmp

Filesize
136KB

Download
memory/3580-0-0x00007FF9CFB53000-0x00007FF9CFB55000-memory.dmp

Filesize
8KB

Download
memory/3580-29-0x00007FF9CFB50000-0x00007FF9D0611000-memory.dmp

Filesize
10.8MB

Download
memory/4920-112-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download