asyncrat | 069e0cb4a7fcf627459696e4257f4b471eee3a863a477e4ce0bb74ac9830e671

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2023 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09717399.exe
Size

48.7MB
MD5

33ce5b0d118abf329444aef57dbe7eb6
SHA1

7a6ef6db2411546257b477c8e86d7cf1958a090e
SHA256

069e0cb4a7fcf627459696e4257f4b471eee3a863a477e4ce0bb74ac9830e671
SHA512

1ddc7bc7e107f99f1298e556b837b1024532d08cb312ec7284a3cd67f43c2823a73d00a92ce67711818fc9117a8c84953a927170f8d9d8a89e448334608bf924
SSDEEP

786432:9G+SChsSUN7Wrwx3VyOdSgffEFZBTK1jCeb39z/MkJk+cP3l/hnp/2yahNNkuPtH:9SRSJrk38CVEWjNb39gki/R/2JhlFCwx

Score

10^/10

asyncrat dcrat evasion infostealer rat trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\portruntime\HhUvyFrf266T.vbe	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

WScript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\crack.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\crack.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\crack.exe	asyncrat
behavioral2/memory/1344-177-0x0000000000F50000-0x00000000045EE000-memory.dmp	asyncrat
behavioral2/memory/1344-308-0x000000001F3F0000-0x000000001F400000-memory.dmp	asyncrat

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\load_dile.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\load_dile.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\load_dile.exe	dcrat
C:\Users\Admin\AppData\Roaming\portruntime\winsession.exe	dcrat
C:\Users\Admin\AppData\Roaming\portruntime\winsession.exe	dcrat

Downloads MZ/PE file

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\crack.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\crack.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\crack.exe	net_reactor
behavioral2/memory/1344-177-0x0000000000F50000-0x00000000045EE000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe09717399.exeload.exeload_dile.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	09717399.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	load_dile.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

Processes:

load.execrack.exeload_dile.exewinsession.exe

pid process

4324 load.exe
1344 crack.exe
328 load_dile.exe
4336 winsession.exe
Loads dropped DLL 1 IoCs

Processes:

crack.exe

pid process

1344 crack.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

load_dile.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings load_dile.exe

pid	process
4324	load.exe
1344	crack.exe
328	load_dile.exe
4336	winsession.exe

pid	process
1344	crack.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	load_dile.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1644	powershell.exe
1644	powershell.exe
4628	powershell.exe
4628	powershell.exe
3908	powershell.exe
3908	powershell.exe
2176	powershell.exe
2176	powershell.exe
4640	powershell.exe
4640	powershell.exe
3240	powershell.exe
3240	powershell.exe
1892	powershell.exe
1892	powershell.exe
1104	powershell.exe
1104	powershell.exe
1056	powershell.exe
1056	powershell.exe
1040	powershell.exe
1040	powershell.exe
4340	powershell.exe
4340	powershell.exe
3908	powershell.exe
1104	powershell.exe
1040	powershell.exe
1056	powershell.exe
1644	powershell.exe
4628	powershell.exe
2176	powershell.exe
1892	powershell.exe
4640	powershell.exe
3240	powershell.exe
4340	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

load.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execrack.exepowershell.exewinsession.exe

description	pid	process
Token: SeDebugPrivilege	4324	load.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1344	crack.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	4336	winsession.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

09717399.exeload.exeload_dile.exeWScript.exeWScript.exeWScript.execmd.exe

description	pid	process	target process
PID 4508 wrote to memory of 4324	4508	09717399.exe	load.exe
PID 4508 wrote to memory of 4324	4508	09717399.exe	load.exe
PID 4508 wrote to memory of 1344	4508	09717399.exe	crack.exe
PID 4508 wrote to memory of 1344	4508	09717399.exe	crack.exe
PID 4324 wrote to memory of 328	4324	load.exe	load_dile.exe
PID 4324 wrote to memory of 328	4324	load.exe	load_dile.exe
PID 4324 wrote to memory of 328	4324	load.exe	load_dile.exe
PID 328 wrote to memory of 1896	328	load_dile.exe	WScript.exe
PID 328 wrote to memory of 1896	328	load_dile.exe	WScript.exe
PID 328 wrote to memory of 1896	328	load_dile.exe	WScript.exe
PID 328 wrote to memory of 3744	328	load_dile.exe	WScript.exe
PID 328 wrote to memory of 3744	328	load_dile.exe	WScript.exe
PID 328 wrote to memory of 3744	328	load_dile.exe	WScript.exe
PID 3744 wrote to memory of 3084	3744	WScript.exe	WScript.exe
PID 3744 wrote to memory of 3084	3744	WScript.exe	WScript.exe
PID 3744 wrote to memory of 3084	3744	WScript.exe	WScript.exe
PID 3084 wrote to memory of 1056	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1056	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1056	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1104	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1104	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1104	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1040	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1040	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1040	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1644	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1644	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1644	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4628	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4628	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4628	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4640	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4640	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4640	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 2176	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 2176	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 2176	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 3240	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 3240	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 3240	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1892	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1892	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 1892	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4340	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4340	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 4340	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 3908	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 3908	3084	WScript.exe	powershell.exe
PID 3084 wrote to memory of 3908	3084	WScript.exe	powershell.exe
PID 1896 wrote to memory of 4128	1896	WScript.exe	cmd.exe
PID 1896 wrote to memory of 4128	1896	WScript.exe	cmd.exe
PID 1896 wrote to memory of 4128	1896	WScript.exe	cmd.exe
PID 4128 wrote to memory of 4336	4128	cmd.exe	winsession.exe
PID 4128 wrote to memory of 4336	4128	cmd.exe	winsession.exe

C:\Users\Admin\AppData\Local\Temp\09717399.exe
"C:\Users\Admin\AppData\Local\Temp\09717399.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\load.exe
"C:\Users\Admin\AppData\Local\Temp\load.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\load_dile.exe
"C:\Users\Admin\AppData\Local\Temp\load_dile.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portruntime\hSfGopwuyDtB4lb.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\portruntime\4aoMg0Ud25u41z9hca1.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Roaming\portruntime\winsession.exe
"C:\Users\Admin\AppData\Roaming\portruntime\winsession.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portruntime\HhUvyFrf266T.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Roaming\portruntime\HhUvyFrf266T.vbe" /elevate
5⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b97c77f4388b0e9563698bd64240cc15

SHA1
46fc3cd347d6c533bbad952420baf0a7522405a5

SHA256
54b575b0cfea1d98de936d009d4d5875165472b68694585a9d1aacd805e09685

SHA512
c8379287e2e4c43717680cdf45ec425f3c2f868959acac92748b883bfc5fb942c5d6c1ae52daca434123716d6267fd08958e96b07388541110727151f14618d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1638f7b34bc91110df810c2d44301b17

SHA1
f068fb574881a8dd4e817b5b56af7a79b8275a55

SHA256
a68ec05a953903b7791a064eb5d54c3f0ee32eb23331a9eb43332052db877f2e

SHA512
5375ac7f7a61d8a7280d8fab230ce0b211581cbc4e762dd37a447f41bceb8fce77289c580082d41a4ae5ed491256d7c4e5fc1f79ce3ea1eb5bd29df7032d4cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1638f7b34bc91110df810c2d44301b17

SHA1
f068fb574881a8dd4e817b5b56af7a79b8275a55

SHA256
a68ec05a953903b7791a064eb5d54c3f0ee32eb23331a9eb43332052db877f2e

SHA512
5375ac7f7a61d8a7280d8fab230ce0b211581cbc4e762dd37a447f41bceb8fce77289c580082d41a4ae5ed491256d7c4e5fc1f79ce3ea1eb5bd29df7032d4cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
78e15b4d6e5b9e4a288af917292ed6dc

SHA1
82db454c32bcb9fda325e9dd453c503fbe561809

SHA256
40bc5ba9369393f3d1ef9ab4737d98d6f08e602c31f48e61df20318a25b3b728

SHA512
df0fca0a9273b32eabb4749bc41cdc5b92da2030e7b3e25bf1c1b3b578128dc79474339fba55442e72c5625cdcf02a9f84b218d23914640814d8ec703eaeb57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e2df8627a9b4986e5e35cbaf725cbdf8

SHA1
6abbb81d5d5610a4fb8d3a51b7a343841ac9a6ea

SHA256
11989750ebda8f401bb7d35fb5553404c42e28b85883a35b5520a14e8fd9971b

SHA512
a64dde7e31d297e0c8ba14d72a13401496bacbd87524ae0142113bfe4a2af916cdef9b1413c0dd4329ae8716e3e6f0d515b122ad7e7c3ca2f5328fbcb33bf1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
78e15b4d6e5b9e4a288af917292ed6dc

SHA1
82db454c32bcb9fda325e9dd453c503fbe561809

SHA256
40bc5ba9369393f3d1ef9ab4737d98d6f08e602c31f48e61df20318a25b3b728

SHA512
df0fca0a9273b32eabb4749bc41cdc5b92da2030e7b3e25bf1c1b3b578128dc79474339fba55442e72c5625cdcf02a9f84b218d23914640814d8ec703eaeb57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
78e15b4d6e5b9e4a288af917292ed6dc

SHA1
82db454c32bcb9fda325e9dd453c503fbe561809

SHA256
40bc5ba9369393f3d1ef9ab4737d98d6f08e602c31f48e61df20318a25b3b728

SHA512
df0fca0a9273b32eabb4749bc41cdc5b92da2030e7b3e25bf1c1b3b578128dc79474339fba55442e72c5625cdcf02a9f84b218d23914640814d8ec703eaeb57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e6fc911f4e0f78da3627ae22d68e70e4

SHA1
80b671991a491c06961b6864d4190ad2266a6db3

SHA256
03d37d154b5655474c81c3840fc6849017bd054aa97efbd9275a1ae1dab7165a

SHA512
87bf541bccc21386f436735fd74982bd2b5623dcf4dcc5c6663a955195ffaf8c25cdffb9b2f75c92f971dd94eed4e6dece0dc0f196fc12369e26f44f3041ae7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e6fc911f4e0f78da3627ae22d68e70e4

SHA1
80b671991a491c06961b6864d4190ad2266a6db3

SHA256
03d37d154b5655474c81c3840fc6849017bd054aa97efbd9275a1ae1dab7165a

SHA512
87bf541bccc21386f436735fd74982bd2b5623dcf4dcc5c6663a955195ffaf8c25cdffb9b2f75c92f971dd94eed4e6dece0dc0f196fc12369e26f44f3041ae7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3c8a1026f934ccc3d1cfbdd4ccb3e5ae

SHA1
acdee0ef8dd80bc9550a10f9ceea88b80541e342

SHA256
81cff3789dde9be16a6ced6c7b116ed49a9c7d4e823935bad38226c4c31bc001

SHA512
c0100d9d024b232a8e438b0ed2c4d4df62cada1b7b99cb6ccb2c970e9ab225edf1d90655bfa7665fcc5b9a6a377bf00c8b60130cdfcba54f38f3a9fb884f3e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll
Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3eec034.pb3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
54.6MB

MD5
94bac1a0cc0dbac256f0d3b4c90648c2

SHA1
4abcb8a31881e88322f6a37cbb24a14a80c6eef2

SHA256
50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

SHA512
30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
54.6MB

MD5
94bac1a0cc0dbac256f0d3b4c90648c2

SHA1
4abcb8a31881e88322f6a37cbb24a14a80c6eef2

SHA256
50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

SHA512
30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe
Filesize
54.6MB

MD5
94bac1a0cc0dbac256f0d3b4c90648c2

SHA1
4abcb8a31881e88322f6a37cbb24a14a80c6eef2

SHA256
50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

SHA512
30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\load.exe
Filesize
62KB

MD5
4442cab7c11b2395fcaa9a6571f4a5f0

SHA1
d50d0bcf68b79f48cfdc0dab8ee2fdccb8d22b98

SHA256
54ad1bedaebad672fa9f573bff1a03b6da29de46f04cc31334f51317cc72702e

SHA512
ffc5e855ed8ccde742afab96238859f1c88c8a8b711f42a97c9606f5adf1d15794914bca9add80b8a5808b1d4b42df561f7c8eb9c417f802bee0296789345f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\load.exe
Filesize
62KB

MD5
4442cab7c11b2395fcaa9a6571f4a5f0

SHA1
d50d0bcf68b79f48cfdc0dab8ee2fdccb8d22b98

SHA256
54ad1bedaebad672fa9f573bff1a03b6da29de46f04cc31334f51317cc72702e

SHA512
ffc5e855ed8ccde742afab96238859f1c88c8a8b711f42a97c9606f5adf1d15794914bca9add80b8a5808b1d4b42df561f7c8eb9c417f802bee0296789345f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\load.exe
Filesize
62KB

MD5
4442cab7c11b2395fcaa9a6571f4a5f0

SHA1
d50d0bcf68b79f48cfdc0dab8ee2fdccb8d22b98

SHA256
54ad1bedaebad672fa9f573bff1a03b6da29de46f04cc31334f51317cc72702e

SHA512
ffc5e855ed8ccde742afab96238859f1c88c8a8b711f42a97c9606f5adf1d15794914bca9add80b8a5808b1d4b42df561f7c8eb9c417f802bee0296789345f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\load_dile.exe
Filesize
3.5MB

MD5
cf89c00e46ac76d5fe3785d5934abb06

SHA1
2e59d9cccb05c51f4f1fcd141e4af33de6eb1c80

SHA256
1b9c1b227a2f27382827133dde3a28b8af5268f72b6ae3dc23ba0abcbe4c8409

SHA512
ea27561736979c5c1c62934e4c4e904e0ae4d84a304cafe4775b02e1fff0f22d5340acfb6b3a77f043a2162b7d7ce4dd0b6609dd03f18cba61dd6812f18bab74

Download Submit
C:\Users\Admin\AppData\Local\Temp\load_dile.exe
Filesize
3.5MB

MD5
cf89c00e46ac76d5fe3785d5934abb06

SHA1
2e59d9cccb05c51f4f1fcd141e4af33de6eb1c80

SHA256
1b9c1b227a2f27382827133dde3a28b8af5268f72b6ae3dc23ba0abcbe4c8409

SHA512
ea27561736979c5c1c62934e4c4e904e0ae4d84a304cafe4775b02e1fff0f22d5340acfb6b3a77f043a2162b7d7ce4dd0b6609dd03f18cba61dd6812f18bab74

Download Submit
C:\Users\Admin\AppData\Local\Temp\load_dile.exe
Filesize
3.5MB

MD5
cf89c00e46ac76d5fe3785d5934abb06

SHA1
2e59d9cccb05c51f4f1fcd141e4af33de6eb1c80

SHA256
1b9c1b227a2f27382827133dde3a28b8af5268f72b6ae3dc23ba0abcbe4c8409

SHA512
ea27561736979c5c1c62934e4c4e904e0ae4d84a304cafe4775b02e1fff0f22d5340acfb6b3a77f043a2162b7d7ce4dd0b6609dd03f18cba61dd6812f18bab74

Download Submit
C:\Users\Admin\AppData\Roaming\portruntime\4aoMg0Ud25u41z9hca1.bat
Filesize
38B

MD5
598f9b4413a605659864abc97e0a72bb

SHA1
4891a308954fde5f94ec0935938d371cdc6e6408

SHA256
fd3c08b5172170ed2097daf6dcfe46588aa989cea1471081911cac35b261f0e4

SHA512
cf35baa500f10fb2e6da1fd6f20d3d53ebc370b0ffcda7755b0a2eaa3643dc6d01bfaf461962a493949b7c4f18f95311a15312fc59b0cc241047d4cfc9dc6188

Download Submit
C:\Users\Admin\AppData\Roaming\portruntime\HhUvyFrf266T.vbe
Filesize
1KB

MD5
3183ab3e54079f5094f0438ad5d460f6

SHA1
850eacdf078b851378fee9b83a895a247f3ff1ed

SHA256
16da599511714cce9fd5888b1cc06bdb44857fc9147f9a2b5eed422d9ae40415

SHA512
31e996ae9eaf26a7292a6c3c0d7a4284228dec13d082a82f0b5f8825cd265a249e266b5a99c755f41dfd370ce8a179ad29780311c1f49f89dc80f5e4a99ce31e

Download Submit
C:\Users\Admin\AppData\Roaming\portruntime\hSfGopwuyDtB4lb.vbe
Filesize
214B

MD5
2358a01362079a90aac9605e41461d6f

SHA1
2e94f300d93724e1e69a226e58c7d17ffc89a79a

SHA256
aaf09f9697830fb827905fc2f315104c7b2a28a8b4f76e67c833189638a27f9f

SHA512
aac73c379da5fb09d978d49b882ed2121879892a675dba74a4ce58a09505322663ee0240836448650c0a4128b4e088f112f4a2f915ad5a78dab56d09ad05db04

Download Submit
C:\Users\Admin\AppData\Roaming\portruntime\winsession.exe
Filesize
3.2MB

MD5
ac43728fc989a1f67b8e17db79920f09

SHA1
53386be2a9899cacf11b98c079c16c2861462ff6

SHA256
0cd2ee19652cba1ad1e2f8dc952b4925a6e6ba1038fe0f249322d19db4fa750b

SHA512
6ac841e976655124889057341fcfde7cdec90277abfe3ab55dbef3261cda5d5d07ae4b1ac4e08438ada560cf9bae2864cd086dc49a78ae4a2f47ff62daebc326

Download Submit
C:\Users\Admin\AppData\Roaming\portruntime\winsession.exe
Filesize
3.2MB

MD5
ac43728fc989a1f67b8e17db79920f09

SHA1
53386be2a9899cacf11b98c079c16c2861462ff6

SHA256
0cd2ee19652cba1ad1e2f8dc952b4925a6e6ba1038fe0f249322d19db4fa750b

SHA512
6ac841e976655124889057341fcfde7cdec90277abfe3ab55dbef3261cda5d5d07ae4b1ac4e08438ada560cf9bae2864cd086dc49a78ae4a2f47ff62daebc326

Download Submit
memory/1040-180-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/1040-361-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/1040-424-0x000000007F160000-0x000000007F170000-memory.dmp

Filesize
64KB

Download
memory/1056-179-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/1056-181-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/1056-356-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/1056-414-0x000000007F0D0000-0x000000007F0E0000-memory.dmp

Filesize
64KB

Download
memory/1104-186-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1104-185-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1104-330-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/1104-327-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1104-371-0x000000007F2B0000-0x000000007F2C0000-memory.dmp

Filesize
64KB

Download
memory/1344-288-0x000000001F3F0000-0x000000001F400000-memory.dmp

Filesize
64KB

Download
memory/1344-324-0x000000001F3F0000-0x000000001F400000-memory.dmp

Filesize
64KB

Download
memory/1344-177-0x0000000000F50000-0x00000000045EE000-memory.dmp

Filesize
54.6MB

Download
memory/1344-308-0x000000001F3F0000-0x000000001F400000-memory.dmp

Filesize
64KB

Download
memory/1344-306-0x000000001F340000-0x000000001F352000-memory.dmp

Filesize
72KB

Download
memory/1344-291-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/1344-322-0x000000001F3F0000-0x000000001F400000-memory.dmp

Filesize
64KB

Download
memory/1644-341-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/1644-441-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1644-430-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1644-184-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1644-182-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1892-287-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download
memory/1892-329-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download
memory/1892-385-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/2176-383-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/2176-426-0x000000007FCC0000-0x000000007FCD0000-memory.dmp

Filesize
64KB

Download
memory/3240-191-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/3240-395-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/3240-442-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/3240-190-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/3908-189-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3908-320-0x0000000006C90000-0x0000000006CAE000-memory.dmp

Filesize
120KB

Download
memory/3908-193-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/3908-194-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/3908-195-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/3908-328-0x0000000007C70000-0x0000000007D06000-memory.dmp

Filesize
600KB

Download
memory/3908-326-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/3908-289-0x0000000005480000-0x000000000549E000-memory.dmp

Filesize
120KB

Download
memory/3908-321-0x000000007FDF0000-0x000000007FE00000-memory.dmp

Filesize
64KB

Download
memory/3908-325-0x00000000079E0000-0x00000000079FA000-memory.dmp

Filesize
104KB

Download
memory/3908-323-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/3908-427-0x0000000007C20000-0x0000000007C2E000-memory.dmp

Filesize
56KB

Download
memory/3908-428-0x0000000007D30000-0x0000000007D4A000-memory.dmp

Filesize
104KB

Download
memory/3908-429-0x0000000007D10000-0x0000000007D18000-memory.dmp

Filesize
32KB

Download
memory/3908-307-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3908-309-0x0000000007680000-0x00000000076B2000-memory.dmp

Filesize
200KB

Download
memory/3908-310-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/4324-149-0x0000000000D70000-0x0000000000D88000-memory.dmp

Filesize
96KB

Download
memory/4324-156-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/4340-192-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4340-431-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/4340-290-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4340-384-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4628-340-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/4628-381-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

Filesize
64KB

Download
memory/4628-187-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/4628-178-0x0000000001140000-0x0000000001176000-memory.dmp

Filesize
216KB

Download
memory/4640-382-0x0000000074C50000-0x0000000074C9C000-memory.dmp

Filesize
304KB

Download
memory/4640-188-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/4640-425-0x000000007F710000-0x000000007F720000-memory.dmp

Filesize
64KB

Download
memory/4640-284-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download