Overview

overview

10

Static

static

10

Nursultan Beta.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1783s
  • max time network
    1790s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan Beta.exe

  • Size

    1.5MB

  • MD5

    b8317db1ac92a4c14e7d0d8f3539ae43

  • SHA1

    22a2385c9bbfce788b08fc24f33f8a0adaefd78e

  • SHA256

    d0e3960cfc407d95abdf059048bef502b65dbd149d977ad44be858c9163d9e6c

  • SHA512

    e919b5e87bc12ea0a38ca844ad2cb7d554b80357944d9d53a5bd79cdff8e8206fc06e75f7b710e9c59a90345e42d531993704b8a77532f8bd22e162ce15f5993

  • SSDEEP

    12288:Sr4lDQ0JHD6AUsEp8zLghZM5Qr4lDQ0JHD6AUsEp8zDjuPKv7MYdzJaifWz3BY1q:ScdzJ9ubKQcdzJ9uwjxnWVwBjxnWVwc

Score
10/10
44caliberxwormexecutionratspywarestealertrojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1235294310178492458/n1tsVRd4bDgNQjTi7wJYLYEgwzKAtqbw0H2CgwWJ4hG1R016D9ZXGq5Kouec9-4BGOgv

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %Temp%

  • install_file

    Astral.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Users\Admin\AppData\Local\Temp\AstraL Cheat.exe
      "C:\Users\Admin\AppData\Local\Temp\AstraL Cheat.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\ASTRAL.exe
        "C:\Users\Admin\AppData\Local\Temp\ASTRAL.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ASTRAL.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ASTRAL.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:320
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3716
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4524
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Astral" /tr "C:\Users\Admin\AppData\Local\Temp\Astral.exe"
          4⤵
          • Creates scheduled task(s)
          PID:3712
      • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
  • C:\Users\Admin\AppData\Local\Temp\Astral.exe
    C:\Users\Admin\AppData\Local\Temp\Astral.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4816
  • C:\Users\Admin\AppData\Local\Temp\Astral.exe
    C:\Users\Admin\AppData\Local\Temp\Astral.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:452
  • C:\Users\Admin\AppData\Local\Temp\Astral.exe
    C:\Users\Admin\AppData\Local\Temp\Astral.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4436
  • C:\Users\Admin\AppData\Local\Temp\Astral.exe
    C:\Users\Admin\AppData\Local\Temp\Astral.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4684
  • C:\Users\Admin\AppData\Local\Temp\Astral.exe
    C:\Users\Admin\AppData\Local\Temp\Astral.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3272
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Astral" /tr "C:\Users\Admin\AppData\Local\Temp\Astral.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4220
  • C:\Users\Admin\AppData\Local\Temp\Astral.exe
    C:\Users\Admin\AppData\Local\Temp\Astral.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Astral" /tr "C:\Users\Admin\AppData\Local\Temp\Astral.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2240
  • C:\Users\Admin\AppData\Local\Temp\Astral.exe
    C:\Users\Admin\AppData\Local\Temp\Astral.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4932
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Astral" /tr "C:\Users\Admin\AppData\Local\Temp\Astral.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3268
  • C:\Users\Admin\AppData\Local\Temp\Astral.exe
    C:\Users\Admin\AppData\Local\Temp\Astral.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Astral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3212
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Astral" /tr "C:\Users\Admin\AppData\Local\Temp\Astral.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Astral.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ba169f4dcbbf147fe78ef0061a95e83b

    SHA1

    92a571a6eef49fff666e0f62a3545bcd1cdcda67

    SHA256

    5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

    SHA512

    8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    fa8d1461e4feb2c39654e3a555a027f8

    SHA1

    0ca46b8961ceba8f9da31de5ed2408643fc89141

    SHA256

    7e26e4f0ef3a7d2904818a691429789c4781029ff4aab697c3b7c9a4287d661f

    SHA512

    e486b8f029c7eec60b6b2b5603390330afb1ddf627cc01c511808c47e68676b4c429b9f75fd4e16e48b496dccfe8cc8ec4a35825e1e889e66571acb6c03e0869

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    8e36164c76778c19637405adc15c138d

    SHA1

    5a84b55368cc3c58c628aef578b658fede2a27f4

    SHA256

    bc9323059bc4e6793598b39d942be6720745037ded472e084f2b2b4b60d07f87

    SHA512

    d2dade91b8654b52857af12addc756817910463d5cd366fe9a13d6b23c3f2024ee2603b094bc03815b5f0f28891142d914aa65950e8a073961a4a5a312c25ff4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a2c8179aaa149c0b9791b73ce44c04d1

    SHA1

    703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

    SHA256

    c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

    SHA512

    2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    22310ad6749d8cc38284aa616efcd100

    SHA1

    440ef4a0a53bfa7c83fe84326a1dff4326dcb515

    SHA256

    55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

    SHA512

    2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    37a924b11cf3f7f57fc56898abe9b0e6

    SHA1

    5ee379727611f74dc5fa677b65881d4c63e10f95

    SHA256

    6e7f7c5fddb3a0300740fdcbe1a8ec3a0be0f16dff193f9806364a19262b52bf

    SHA512

    903e1badb3577e0b3e92b69491596c9a402b51cdf3de43d5fb06b08c5689d2ff7ba25f8d1497d6527e943d9063a7ee79cbf2b47892de1de3b68cc7ca77853d6f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d65ebc84c6b0b52901fb46f5e2b83ab5

    SHA1

    d036a0c3eb9e1616d0f7f5ca41171060c13a3095

    SHA256

    d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1

    SHA512

    88ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a7cc007980e419d553568a106210549a

    SHA1

    c03099706b75071f36c3962fcc60a22f197711e0

    SHA256

    a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

    SHA512

    b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    2524e72b0573fa94e9cb8089728a4b47

    SHA1

    3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

    SHA256

    fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

    SHA512

    99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    9a6a9d75fa341993a8973ffdb60bd58d

    SHA1

    d418862e4b69af34201f6a9f9e631f6edc0add5b

    SHA256

    8a31f62bd3299437ff218e731dd847e4bb3f510281d8c333e1984de7bdecf2c2

    SHA512

    d7a860d80ca67fd4ab3ce87a6f33c47cf26512e88084e6f1453d2252715ae90a331837f0e623326c3e60dc91ff0df16c46535279ff06d483a49d02a2f669b3d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    0342b267f79ac6d33bf583a0b3b04dd1

    SHA1

    78ef2010a90ff2fa10d68628b39647d9773983ab

    SHA256

    dc0ea9007b6ac003b0f10a0f34361ee5defb05495c29a35d2951c4e4a604f1c5

    SHA512

    c484d055c44f353d1eeb1b626751d8863b0ed5af13376f46b62726568e8c7e4589986a7badf1a3de40f69c40ae6a4fa8fd4b2e47180a7cad17daa3943faf00d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    82290d9cc3e10e3c7c8b7c2ce0caf107

    SHA1

    262fe88a014003274a4c1dd7e2e8b87ad06cbe58

    SHA256

    b2b5b6b3166aeddf51672a02c910e2af50e715a05d2376d424f42f5cfc29d829

    SHA512

    104f5c14316d33c60eff89589464171f1e7f3df26897c2448a60f2b0a653afe26a9acc76040d4934f1aa44c826e7b26ab10872d90b8dd2edb9ddf421e873bbc1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d42b6da621e8df5674e26b799c8e2aa

    SHA1

    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

    SHA256

    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

    SHA512

    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    34f595487e6bfd1d11c7de88ee50356a

    SHA1

    4caad088c15766cc0fa1f42009260e9a02f953bb

    SHA256

    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

    SHA512

    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ASTRAL.exe
    Filesize

    84KB

    MD5

    1179e18bebec63a06cf5dd1ded4fde4e

    SHA1

    b02c7a927e2c6fd918034fad92c3052ace8b3478

    SHA256

    820df19358c9ae146a40e6bb2c65459545203f9b64b4bade849324a60b003a76

    SHA512

    bfb3734e14340e8e11ba9e265411127049801d30650440726324e5ac98e488c9f24bfaa416d481adfb8d8ee40c05d4de13f59379574878c4822b892ba90acc8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AstraL Cheat.exe
    Filesize

    794KB

    MD5

    2e1f1f6651854b5a503f14d0cffbbf45

    SHA1

    4aab7ece235b73d81de63d2b9d9bc98448bdfe05

    SHA256

    50510c8f3cb875ed810f006602bc97c3712c3b6def8bb4c54d05a90ec06898b3

    SHA512

    24860b7e9f4144bf60047e2422d15974994e0520e2f0344d2aa6e797570e0e72687ad4782ba4151802550e39effd8b76f4e640272f53a55a186467d346f9c037

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    303KB

    MD5

    934bdcb474af138e4a6caf7c67c4e95d

    SHA1

    8efd900e6f0472c5be15d1009283320358c2d11c

    SHA256

    8fb07b0f90f3d89a34634cb03f55b0da9d483467e4384f3cc19881502167a654

    SHA512

    144d62626ebf9de81bcb9f6f281057cc51c8a4ad81465f8dd36546a97afcbedb34f6cad1b449d08f164b7a6ed2667841b7935dbcfa2e14ae5597416688255967

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bgymx34.154.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Astral.lnk
    Filesize

    1KB

    MD5

    91c58fbd55a6f7b706cf91d761564ac8

    SHA1

    fc429c3ab4055bb5ab7dc7a31c88a658c59ead8f

    SHA256

    c62ecd03985074a3be23172ee67b26e555ddb2f4df8d1230dc1095b298608aa1

    SHA512

    fd354c7309e3865f499b89569b4f81ef5dd48d299ed12f28350d8e86db3494a5a52d41051bc2c38a5ad45dc238412bda978a10d86e64b789bd3ed36f90789767

    Download Submit

  • memory/2836-33-0x0000000000400000-0x00000000004CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3164-70-0x000001B7F4230000-0x000001B7F4252000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3288-7-0x0000000000400000-0x000000000057C000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3676-168-0x00000000012E0000-0x00000000012EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4816-34-0x0000025A63EB0000-0x0000025A63F02000-memory.dmp

    Filesize

    328KB

    Download

  • memory/5044-112-0x00007FFE0FE43000-0x00007FFE0FE45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5044-31-0x0000000000920000-0x000000000093A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5044-28-0x00007FFE0FE43000-0x00007FFE0FE45000-memory.dmp

    Filesize

    8KB

    Download