asyncrat | 5024f86a2a158f964ce6833a7920c53e7962d0db4a542f4656267f46b55a57ef

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Company Docs.exe
Size

9.0MB
MD5

437d6db99b07aa14e1c86b82f3616082
SHA1

a13c183fb710f3b7e828dfb8ff48a609341677ba
SHA256

5024f86a2a158f964ce6833a7920c53e7962d0db4a542f4656267f46b55a57ef
SHA512

9acccad0804b399aeccae5ccff5a88cbd87a6fbfb97883fd08787446c574c71b3bd3d9c7159c036083faf9805d9efb50ac95beb900bfbd3da09238bd31729673

Score

10^/10

asyncrat evasion persistence rat

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
54.39.152.114
Port:
21
Username:
redthrth
Password:
WK)y;s2y12OaL7

Extracted

Family

asyncrat

Mutex

Attributes

aes_key
anti_detection
autorun
bdos
delay
host
hwid
This file can't run into RDP Servers.
install_file
install_folder
/EXEFilename "{0}\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
mutex
pastebin_config
port
version

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Company Docs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Company Docs.exe\""	Company Docs.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

Company Docs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Company Docs.exe	Company Docs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Company Docs.exe	Company Docs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Company Docs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Company Docs.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Company Docs.exe"	Company Docs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Company Docs.exe"	Company Docs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3520 schtasks.exe

flow	ioc
10	ip-api.com

pid	process
3520	schtasks.exe

Modifies registry class 5 IoCs

Processes:

Company Docs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings\shell\open\command	Company Docs.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings	Company Docs.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings\shell	Company Docs.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings\shell\open	Company Docs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\ms-settings\shell\open\command\	Company Docs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3112	powershell.exe
3112	powershell.exe
3112	powershell.exe
2228	powershell.exe
2228	powershell.exe
2228	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
3168	powershell.exe
3168	powershell.exe
3168	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
1096	powershell.exe
1096	powershell.exe
1096	powershell.exe
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe
2084	powershell.exe
2084	powershell.exe
2084	powershell.exe
3048	powershell.exe
3048	powershell.exe
3048	powershell.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
204	powershell.exe
204	powershell.exe
204	powershell.exe
3640	powershell.exe
3640	powershell.exe
3640	powershell.exe
3012	powershell.exe
3012	powershell.exe
3012	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
1232	powershell.exe
1232	powershell.exe
1232	powershell.exe
3636	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Company Docs.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3576	Company Docs.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeIncreaseQuotaPrivilege	3112	powershell.exe
Token: SeSecurityPrivilege	3112	powershell.exe
Token: SeTakeOwnershipPrivilege	3112	powershell.exe
Token: SeLoadDriverPrivilege	3112	powershell.exe
Token: SeSystemProfilePrivilege	3112	powershell.exe
Token: SeSystemtimePrivilege	3112	powershell.exe
Token: SeProfSingleProcessPrivilege	3112	powershell.exe
Token: SeIncBasePriorityPrivilege	3112	powershell.exe
Token: SeCreatePagefilePrivilege	3112	powershell.exe
Token: SeBackupPrivilege	3112	powershell.exe
Token: SeRestorePrivilege	3112	powershell.exe
Token: SeShutdownPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeSystemEnvironmentPrivilege	3112	powershell.exe
Token: SeRemoteShutdownPrivilege	3112	powershell.exe
Token: SeUndockPrivilege	3112	powershell.exe
Token: SeManageVolumePrivilege	3112	powershell.exe
Token: 33	3112	powershell.exe
Token: 34	3112	powershell.exe
Token: 35	3112	powershell.exe
Token: 36	3112	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeIncreaseQuotaPrivilege	2228	powershell.exe
Token: SeSecurityPrivilege	2228	powershell.exe
Token: SeTakeOwnershipPrivilege	2228	powershell.exe
Token: SeLoadDriverPrivilege	2228	powershell.exe
Token: SeSystemProfilePrivilege	2228	powershell.exe
Token: SeSystemtimePrivilege	2228	powershell.exe
Token: SeProfSingleProcessPrivilege	2228	powershell.exe
Token: SeIncBasePriorityPrivilege	2228	powershell.exe
Token: SeCreatePagefilePrivilege	2228	powershell.exe
Token: SeBackupPrivilege	2228	powershell.exe
Token: SeRestorePrivilege	2228	powershell.exe
Token: SeShutdownPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeSystemEnvironmentPrivilege	2228	powershell.exe
Token: SeRemoteShutdownPrivilege	2228	powershell.exe
Token: SeUndockPrivilege	2228	powershell.exe
Token: SeManageVolumePrivilege	2228	powershell.exe
Token: 33	2228	powershell.exe
Token: 34	2228	powershell.exe
Token: 35	2228	powershell.exe
Token: 36	2228	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeIncreaseQuotaPrivilege	3592	powershell.exe
Token: SeSecurityPrivilege	3592	powershell.exe
Token: SeTakeOwnershipPrivilege	3592	powershell.exe
Token: SeLoadDriverPrivilege	3592	powershell.exe
Token: SeSystemProfilePrivilege	3592	powershell.exe
Token: SeSystemtimePrivilege	3592	powershell.exe
Token: SeProfSingleProcessPrivilege	3592	powershell.exe
Token: SeIncBasePriorityPrivilege	3592	powershell.exe
Token: SeCreatePagefilePrivilege	3592	powershell.exe
Token: SeBackupPrivilege	3592	powershell.exe
Token: SeRestorePrivilege	3592	powershell.exe
Token: SeShutdownPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeSystemEnvironmentPrivilege	3592	powershell.exe
Token: SeRemoteShutdownPrivilege	3592	powershell.exe
Token: SeUndockPrivilege	3592	powershell.exe
Token: SeManageVolumePrivilege	3592	powershell.exe
Token: 33	3592	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Company Docs.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3576 wrote to memory of 3520	3576	Company Docs.exe	schtasks.exe
PID 3576 wrote to memory of 3520	3576	Company Docs.exe	schtasks.exe
PID 3576 wrote to memory of 3520	3576	Company Docs.exe	schtasks.exe
PID 3576 wrote to memory of 1564	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 1564	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 1564	3576	Company Docs.exe	cmd.exe
PID 1564 wrote to memory of 2128	1564	cmd.exe	netsh.exe
PID 1564 wrote to memory of 2128	1564	cmd.exe	netsh.exe
PID 1564 wrote to memory of 2128	1564	cmd.exe	netsh.exe
PID 3576 wrote to memory of 3856	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3856	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3856	3576	Company Docs.exe	cmd.exe
PID 3856 wrote to memory of 2704	3856	cmd.exe	netsh.exe
PID 3856 wrote to memory of 2704	3856	cmd.exe	netsh.exe
PID 3856 wrote to memory of 2704	3856	cmd.exe	netsh.exe
PID 3576 wrote to memory of 3928	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3928	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3928	3576	Company Docs.exe	cmd.exe
PID 3928 wrote to memory of 3556	3928	cmd.exe	netsh.exe
PID 3928 wrote to memory of 3556	3928	cmd.exe	netsh.exe
PID 3928 wrote to memory of 3556	3928	cmd.exe	netsh.exe
PID 3576 wrote to memory of 2300	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 2300	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 2300	3576	Company Docs.exe	cmd.exe
PID 2300 wrote to memory of 3432	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 3432	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 3432	2300	cmd.exe	netsh.exe
PID 3576 wrote to memory of 3652	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3652	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3652	3576	Company Docs.exe	cmd.exe
PID 3652 wrote to memory of 3472	3652	cmd.exe	netsh.exe
PID 3652 wrote to memory of 3472	3652	cmd.exe	netsh.exe
PID 3652 wrote to memory of 3472	3652	cmd.exe	netsh.exe
PID 3576 wrote to memory of 2916	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 2916	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 2916	3576	Company Docs.exe	cmd.exe
PID 2916 wrote to memory of 2312	2916	cmd.exe	netsh.exe
PID 2916 wrote to memory of 2312	2916	cmd.exe	netsh.exe
PID 2916 wrote to memory of 2312	2916	cmd.exe	netsh.exe
PID 3576 wrote to memory of 1264	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 1264	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 1264	3576	Company Docs.exe	cmd.exe
PID 1264 wrote to memory of 4060	1264	cmd.exe	netsh.exe
PID 1264 wrote to memory of 4060	1264	cmd.exe	netsh.exe
PID 1264 wrote to memory of 4060	1264	cmd.exe	netsh.exe
PID 3576 wrote to memory of 2120	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 2120	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 2120	3576	Company Docs.exe	cmd.exe
PID 2120 wrote to memory of 2868	2120	cmd.exe	netsh.exe
PID 2120 wrote to memory of 2868	2120	cmd.exe	netsh.exe
PID 2120 wrote to memory of 2868	2120	cmd.exe	netsh.exe
PID 3576 wrote to memory of 3796	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3796	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3796	3576	Company Docs.exe	cmd.exe
PID 3796 wrote to memory of 3128	3796	cmd.exe	netsh.exe
PID 3796 wrote to memory of 3128	3796	cmd.exe	netsh.exe
PID 3796 wrote to memory of 3128	3796	cmd.exe	netsh.exe
PID 3576 wrote to memory of 3568	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3568	3576	Company Docs.exe	cmd.exe
PID 3576 wrote to memory of 3568	3576	Company Docs.exe	cmd.exe
PID 3568 wrote to memory of 692	3568	cmd.exe	netsh.exe
PID 3568 wrote to memory of 692	3568	cmd.exe	netsh.exe
PID 3568 wrote to memory of 692	3568	cmd.exe	netsh.exe
PID 3576 wrote to memory of 3136	3576	Company Docs.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Company Docs.exe
"C:\Users\Admin\AppData\Local\Temp\Company Docs.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Venom Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Venom.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-ngrok" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Venom-ngrok" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" enable=yes
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" enable=yes
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes
    3⤵
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" enable=yes
    3⤵
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" enable=yes
    3⤵
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Venom-winvnc" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" enable=yes
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Folder" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Windows Folder" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" enable=yes
    3⤵
    PID:4060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Service" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Windows Service" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" enable=yes
    3⤵
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows Task" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\update.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Windows Task" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\update.exe" enable=yes
    3⤵
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Windows" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" enable=yes
    3⤵
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k netsh advfirewall firewall add rule name="Windows System" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" enable=yes & exit
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Windows System" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" enable=yes
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow & exit
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow & exit
  2⤵
  PID:776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "ngrok" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-ngrok.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "vnc" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow & exit
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "vnc" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "vnc" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow & exit
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "vnc" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\Venom-winvnc.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "rdp" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "rdp" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "rdp" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "rdp" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Google" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow & exit
  2⤵
  PID:1324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Google" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Google" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow & exit
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Google" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\ngrok.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow & exit
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow & exit
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Chrome" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\winvnc.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow & exit
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows Update" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\rdpinstall.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow & exit
  2⤵
  PID:428
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow & exit
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows task" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate1.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow & exit
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow & exit
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows Service" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\autoupdate2.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow & exit
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow & exit
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows Folder" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\update.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow & exit
  2⤵
  PID:412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow & exit
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\Venom\venom_nkrok.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow & exit
  2⤵
  PID:652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Inbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow & exit
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell New-NetFirewallRule -DisplayName "Windows System" -Direction Outbound -Program "C:\Users\Admin\AppData\Roaming\venom\nkrok.exe" -Action Allow
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
ac3d19fbb5c5f10833f1882308f77548

SHA1
ac880466fd99a5719fedc7289b00d78ba7088e06

SHA256
3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df

SHA512
b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8b735d4ef3ee12eb939070f0614149af

SHA1
f7db1eeaaa3b1817be71564f6998c29b91737854

SHA256
5475f8cb3fd9246b1fdf1a712711f4f4d15b8ccef636b8d284cf9374b2147c99

SHA512
c660a7d9720ed00654a46101d042587cf966f76ea945085fb24a242850699225e995a011bf532b6869f73f89ee2616c2d86e07bf497034535067d5362d3e98a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
802856c288abeefbe70a6a6f56057b22

SHA1
352c55eeb1b3f8202227c0fe04a8af6cffe8eccf

SHA256
325a9116a5147068a3fd22bf82a484a87f284ce7617e0e2b925f34bc97d116da

SHA512
c1596982ca92e8dcf64688e5498fd23c63d30335772704f3dd789a97da7d914a8e8bb81e7e9778ee74511e268c0862b96f9b8db60d7d0f9e2ce2bc757b2c8f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bfa9a81168dac923a046e2c9771fe030

SHA1
ae9026164c9749c047200669c4403d79d165fd7a

SHA256
6a60c0ae64befcbd036bc437d6600cd0229e314eb8fcc046c4f4c5e4a131d960

SHA512
26fc835724829d8cfed0cbabfd5d2d318340299a31e25a38add19fcadd2c6cbf6d271f7c3525a584825c93556ec657d8b7ce246ff5f06fac2271aba3e0bcec07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
81c534129d298f7db3beeb7723bf5142

SHA1
7d9f4c86a259373f332fa8df7998b78d15847499

SHA256
b7e2d32958a41dc432986f2dc9cc287bc525f68f8b2707834a129bac0e12e653

SHA512
1c6334665bb2453a546070480c805fd60e8267f355e9f5eee84531281acd3f91e6e8c719d118510c8a398a4020c374176a53b462dbb5fd4b572ed4120cdee0b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9e5d2132707aabc4e175d39d6e69a5e2

SHA1
b46250901313a6ce9b7f5b64f3f388077d837fd0

SHA256
bca31c534abeb352ee5530807a535526b1dc3ffca0cd721f6b19cf0cf4640bb2

SHA512
e22b110ee468d5a5f32c66c0941110330462dfd8047e74611964f9d526c2506492be61dd06cb5a9b4a261c6c210e224c7c3946c477060494de8dd55f81c27b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9794defb2099191c2e68d6010286b686

SHA1
c5a1dc0cbc7944e176f0c8a17a9f3bbebed15505

SHA256
ff2b3e3a35278be2ee74ba033e056d2bfa5d6ee9f5b6df91dc6050463570e11d

SHA512
c5270a9977ce58f94f9fc6c5b528141a95e0e2c2e5fb03cd30ac3dd49857aab4ebc365a9006ebe86cc620a107ffe27c0a746734a43199bd218a0acf48a039660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6b7dd891f77fce8918829567f0c46d0e

SHA1
1178b123e212b6d666bc81d0b29127ad4ac67c12

SHA256
670e91e599f68341d68f6341ab9e868bd3825fd069e7e6726f690289a52a7249

SHA512
1169902bfb97f8675ff1e295488092785d13f34a204d915db8f1c7805d70273e5e8e3813847e1f73034ab3fc1d6d308ff1aadd08a5915dc8f48d748c0a06d3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
dba695957247bed5d1eb4eff79e5bf3f

SHA1
64959298f49726ae1c17e395d86cf13d89a1e10a

SHA256
62b69b4fe41da52f67ba1c08e82541a02acd13e3f8c95ef9563035a2d7960edd

SHA512
ce33c3f6c50b1317d6b4cc45f312a2d7c25d62acea9aa0a953aad927b090315fe1b0f850ad2da6a6f2a351cbcffecb7056ffdf630c862c09876d17e028241b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7dae55c33ed92b828abf24c9b0b9d18e

SHA1
71556a351f1d2bd6e10c236014539c3da67d1f42

SHA256
e9ab50f8ed3dd681b9918b825a6b36e590a7a9014929ee8a3d99c47310619863

SHA512
31268d76132432ef7c98c64823561d066aa005e878a7220776b862a4706e57635a4d3ea4c546396a9fd219434f2bf999f490b9cf6f13a3605a6a8d05e6205cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3e66da22a9580a981d4ec236984697f9

SHA1
33cf8647db49b9fcdfa323da14df2f1bdd28c131

SHA256
a9ee4279da59e8d4c9cf091884c3cbd99bda5cc4aa2414480f29f400d5d19185

SHA512
81fd2319e2b9dd7c97ada8dc7173679691099464ecb80fe536217c236cf2bf0552ad8f1a75a7a8597ae5d4e6b6a6443817c8e82eace88663260025276184bf8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b829d94141656ad55ce4c0b0cfe27bd4

SHA1
b4f204be3831f0bccd82a5cb0f162f014d8fa527

SHA256
5bf4abe1e6226f4fa0512466d491689e01db86d2f4bf50c01af99e75aff5f0bb

SHA512
c19639ae438a69918c8ddb6d2726446cf350778d383ac134ce2b20e8bfb42f536976efbecbbf0295110eb2dd2472160f0d82b29b55ec800e7ff727dab9eb4bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6c364d2d46932621e28b0d901afd033b

SHA1
3f50f4cad04d42d99135ba49342a92090901e2a1

SHA256
f3be9a7a0ca81938dcdfb1e4d139c3d3fe81fef2f74ed900aff542c92d538211

SHA512
6286af5ccbe9a09ca77ae31500dca2672109f4c0f311a2454fce2956c99b8744606d37c0fa105e3e6a663091ef871048a79416ccfbda9dc4bd9c9dc469706d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
338e48db8a0c2b0b205fdee215b03e73

SHA1
ffadab2e104861bfe8a1e707ec7de3da08b13268

SHA256
cbdc55b87c9cd2080f3ad42c72fe575ed31347d5156bad10e035fd62a33e2bf9

SHA512
e0d5a2bb36d852d8806beb76f4e2326d7037db8667d0dc18c28057e87aabb6a7be0925e1c4697d7593e28bf55bdeced0e5fb7191beedece289ef894b54420b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2acd4d0cb6d787451712fc56b0a11b68

SHA1
ef33a6316c59e165e5d84457669dcb17dd54322a

SHA256
f97faa1897edf2f360a33b787c44e3762e965c749f85f5ddfbe6c29f877f242a

SHA512
f02e698dbf466d5a9b09d459bef496bd26e376a558c2a57eddf8d5bdeb9756e40247c85ba182643063cb7fba01e6df338184165ebb9865e3f095c1a777922dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
dc198704a3b208bf9d6359e7abde2e0b

SHA1
8874e1a05e1972eaf4ab679fc0b847385e873dde

SHA256
d26b04e0be3d7cb681b5f26bccf263999caf2abd419aacff445ec22f319fde22

SHA512
0385e9e08c4fed262a9fa09290fb47b81a3a387f5404e282ce19e555958e8d51246cfb1f8838acbadcd5a81bc4486931c6f568bfce0434fd5aac7b21ec9ba3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
209805f246ba7ab4bd632024a227e102

SHA1
bbfe1cdf58fc9e12810ba2986f5760bf9c5d060f

SHA256
2d24f61abf58486538525ea3e4b55c7b8d305f8c88643a14e1cd5ca6635ab5c3

SHA512
3f58d1708a6e683d6f6650ae30e9a445c2c8ac74fdb806f12b50c0f3ea463431d7dac6b764dfc99025190a8ad53db4048121539a7b687b35eae58637cd0f22e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b8db17c9e44784cec5c0489fa841a1a3

SHA1
ea7e7f56f920ee59751fcba089452cef1232537c

SHA256
c863c4bcd24424b06debac1b84410d6b9c467706be1e2c076e52b211727211b2

SHA512
d2d1d2b0699673c8ff391d30f7dcc7e2b2977fa6321dc9b8094c8c0d3c38d99351be5907b5307edb9fe4ace74b64f2199d712638ce5cc6753218e1a2f7189c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2118107bdc6084d897340827b27aace3

SHA1
dc8f371c96e8cad5b765c8fb667ebfb131b6017c

SHA256
69c7537ddeb55939976037fe818e4a20213aa422558c695ed21bb6913b964ec5

SHA512
c7b7396517301aae29038383b1f74e029dca9e7bf06a0b4fd8a21c589bdf1799abae977ef796e176943d99ccbebba30049eb3cee83c27b353a83f069c990a2f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1586af008c5b86c9e36a79dda1d87439

SHA1
20af95e069f1e35928258393d99cce0ae9c5d7e9

SHA256
8a2cf139088ecb552e25be8c8072fbdbb1f0eddcace32e4490a9423294fd575f

SHA512
38db50bd95437bfe694013681e507cbcd09850896bca4fdd3d3767e11cea861214a1d7eaa9032a2da7056f92fa94564427ae95c57d57a36fac10eec2dd763c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
34bd3816c3cb68146ff0aabfabfda346

SHA1
197c565bf6ac4a24d90eef2244f6cc5d71a2890a

SHA256
a9430a707bf980dd45531342a04fc05a37071cee54c9aec48daf883f91b34f8d

SHA512
8207d5c301da564efce4402f19daa99006a44b7584f1c2a4cb0e913304f0df47a9da1f7b74f7a27920acd0741072e525283d32c6f5b17e69fb1297e6594a5a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a12f923e5e909729d2b03f889f47a1db

SHA1
6e9d2e81921372d8acf7160ead91d5b31ab0fb2d

SHA256
9ffef0c9995b5fe71d745af7990383a210cd9a21c66e1aec64583d9a26c17f34

SHA512
d5b977a6debb964bb54b54513c633732327e1d3a6d35cecf2b28f5e1a8ab426b91a1813ad7213353a7e7d23b34aa161d8173ffb9476b554a912de0aedfea53b9

Download Submit
memory/204-411-0x0000000000000000-mapping.dmp

Download
memory/204-412-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/412-514-0x0000000000000000-mapping.dmp

Download
memory/428-358-0x0000000000000000-mapping.dmp

Download
memory/652-566-0x0000000000000000-mapping.dmp

Download
memory/692-43-0x0000000000000000-mapping.dmp

Download
memory/776-71-0x0000000000000000-mapping.dmp

Download
memory/804-359-0x0000000000000000-mapping.dmp

Download
memory/804-360-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1064-254-0x0000000000000000-mapping.dmp

Download
memory/1096-229-0x0000000000000000-mapping.dmp

Download
memory/1096-230-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1232-567-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1264-36-0x0000000000000000-mapping.dmp

Download
memory/1324-202-0x0000000000000000-mapping.dmp

Download
memory/1456-384-0x0000000000000000-mapping.dmp

Download
memory/1564-24-0x0000000000000000-mapping.dmp

Download
memory/1572-98-0x0000000000000000-mapping.dmp

Download
memory/1628-332-0x0000000000000000-mapping.dmp

Download
memory/1728-488-0x0000000000000000-mapping.dmp

Download
memory/2084-282-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-281-0x0000000000000000-mapping.dmp

Download
memory/2120-38-0x0000000000000000-mapping.dmp

Download
memory/2124-386-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-385-0x0000000000000000-mapping.dmp

Download
memory/2128-25-0x0000000000000000-mapping.dmp

Download
memory/2180-203-0x0000000000000000-mapping.dmp

Download
memory/2180-204-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-74-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-72-0x0000000000000000-mapping.dmp

Download
memory/2252-176-0x0000000000000000-mapping.dmp

Download
memory/2280-542-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-541-0x0000000000000000-mapping.dmp

Download
memory/2284-540-0x0000000000000000-mapping.dmp

Download
memory/2300-30-0x0000000000000000-mapping.dmp

Download
memory/2312-35-0x0000000000000000-mapping.dmp

Download
memory/2468-306-0x0000000000000000-mapping.dmp

Download
memory/2524-150-0x0000000000000000-mapping.dmp

Download
memory/2540-256-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-255-0x0000000000000000-mapping.dmp

Download
memory/2648-410-0x0000000000000000-mapping.dmp

Download
memory/2668-516-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-515-0x0000000000000000-mapping.dmp

Download
memory/2704-27-0x0000000000000000-mapping.dmp

Download
memory/2868-39-0x0000000000000000-mapping.dmp

Download
memory/2916-34-0x0000000000000000-mapping.dmp

Download
memory/3012-464-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-463-0x0000000000000000-mapping.dmp

Download
memory/3048-307-0x0000000000000000-mapping.dmp

Download
memory/3048-308-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3112-52-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3112-51-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/3112-57-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/3112-68-0x0000000009CA0000-0x0000000009CA1000-memory.dmp

Filesize
4KB

Download
memory/3112-67-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download
memory/3112-69-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/3112-47-0x0000000000000000-mapping.dmp

Download
memory/3112-66-0x0000000009710000-0x0000000009711000-memory.dmp

Filesize
4KB

Download
memory/3112-59-0x0000000009730000-0x0000000009763000-memory.dmp

Filesize
204KB

Download
memory/3112-48-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3112-56-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

Filesize
4KB

Download
memory/3112-55-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/3112-49-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3112-54-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/3112-50-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/3128-41-0x0000000000000000-mapping.dmp

Download
memory/3136-44-0x0000000000000000-mapping.dmp

Download
memory/3160-46-0x0000000000000000-mapping.dmp

Download
memory/3168-151-0x0000000000000000-mapping.dmp

Download
memory/3168-152-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3176-489-0x0000000000000000-mapping.dmp

Download
memory/3176-490-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3424-45-0x0000000000000000-mapping.dmp

Download
memory/3432-31-0x0000000000000000-mapping.dmp

Download
memory/3472-33-0x0000000000000000-mapping.dmp

Download
memory/3520-22-0x0000000000000000-mapping.dmp

Download
memory/3556-29-0x0000000000000000-mapping.dmp

Download
memory/3568-42-0x0000000000000000-mapping.dmp

Download
memory/3572-126-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3572-125-0x0000000000000000-mapping.dmp

Download
memory/3576-6-0x0000000007BD0000-0x0000000007D48000-memory.dmp

Filesize
1.5MB

Download
memory/3576-13-0x0000000008A20000-0x0000000008B54000-memory.dmp

Filesize
1.2MB

Download
memory/3576-3-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3576-5-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/3576-7-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/3576-8-0x0000000007E00000-0x0000000007F6C000-memory.dmp

Filesize
1.4MB

Download
memory/3576-9-0x0000000007F70000-0x00000000080D0000-memory.dmp

Filesize
1.4MB

Download
memory/3576-10-0x00000000080D0000-0x0000000008225000-memory.dmp

Filesize
1.3MB

Download
memory/3576-11-0x0000000008790000-0x00000000088DA000-memory.dmp

Filesize
1.3MB

Download
memory/3576-12-0x00000000088E0000-0x0000000008A1E000-memory.dmp

Filesize
1.2MB

Download
memory/3576-23-0x00000000092C0000-0x00000000092C4000-memory.dmp

Filesize
16KB

Download
memory/3576-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3576-21-0x0000000009B30000-0x0000000009B31000-memory.dmp

Filesize
4KB

Download
memory/3576-20-0x00000000092A0000-0x00000000092A1000-memory.dmp

Filesize
4KB

Download
memory/3576-14-0x0000000008B60000-0x0000000008C88000-memory.dmp

Filesize
1.2MB

Download
memory/3576-15-0x0000000008C90000-0x0000000008DAD000-memory.dmp

Filesize
1.1MB

Download
memory/3576-16-0x0000000008DB0000-0x0000000008EC2000-memory.dmp

Filesize
1.1MB

Download
memory/3576-19-0x00000000092D0000-0x00000000092D1000-memory.dmp

Filesize
4KB

Download
memory/3576-17-0x0000000008ED0000-0x0000000008FD7000-memory.dmp

Filesize
1.0MB

Download
memory/3576-18-0x00000000090C0000-0x00000000090C1000-memory.dmp

Filesize
4KB

Download
memory/3584-436-0x0000000000000000-mapping.dmp

Download
memory/3592-99-0x0000000000000000-mapping.dmp

Download
memory/3592-100-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3636-591-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3640-438-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3640-437-0x0000000000000000-mapping.dmp

Download
memory/3652-32-0x0000000000000000-mapping.dmp

Download
memory/3732-333-0x0000000000000000-mapping.dmp

Download
memory/3732-334-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3796-40-0x0000000000000000-mapping.dmp

Download
memory/3800-462-0x0000000000000000-mapping.dmp

Download
memory/3804-228-0x0000000000000000-mapping.dmp

Download
memory/3856-26-0x0000000000000000-mapping.dmp

Download
memory/3912-178-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/3912-177-0x0000000000000000-mapping.dmp

Download
memory/3928-28-0x0000000000000000-mapping.dmp

Download
memory/3940-124-0x0000000000000000-mapping.dmp

Download
memory/4060-37-0x0000000000000000-mapping.dmp

Download
memory/4088-280-0x0000000000000000-mapping.dmp

Download