asyncrat | b96849a992512df5e9cf349bdbaea4ec4a297a9d334aca6ae32d921ccb844e1f

General

Target

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Size

1.0MB
MD5

4125dc4cedd5145802059e6f56491c67
SHA1

8eb676931c46ececa90e400d23369a6c5f3294f1
SHA256

b96849a992512df5e9cf349bdbaea4ec4a297a9d334aca6ae32d921ccb844e1f
SHA512

cc20208af6817c0c64bbf37ad0f2057857c00a81b2fe0bccbc0c37c02db78caedd0332b15f83cc14bafbb46af893b4a8fbf5bade4e553a1382ec42080f763b32

Score

10^/10

asyncrat evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

jesuslopez19011.duckdns.org:1881

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
a9t0tuVlARBorSOG6HaEdksAb0k95PZR
anti_detection
false
autorun
false
bdos
false
delay
Default
host
jesuslopez19011.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
1881
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe\""	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4572-125-0x000000000040C72E-mapping.dmp	asyncrat
behavioral2/memory/4572-124-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe = "0"	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe = "0"	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe"	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe"	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

pid	process
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

description pid process target process

PID 744 set thread context of 4572 744 SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe regsvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4672 744 WerFault.exe SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1908 timeout.exe
4376 timeout.exe
4524 timeout.exe

description	pid	process	target process
PID 744 set thread context of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe

pid	pid_target	process	target process
4672	744	WerFault.exe	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe

pid	process
1908	timeout.exe
4376	timeout.exe
4524	timeout.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeSOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exeWerFault.exe

pid	process
2584	powershell.exe
3928	powershell.exe
2700	powershell.exe
2600	powershell.exe
2584	powershell.exe
2700	powershell.exe
3928	powershell.exe
2600	powershell.exe
2700	powershell.exe
2584	powershell.exe
3928	powershell.exe
2600	powershell.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe
4672	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exeregsvcs.exe

description	pid	process
Token: SeDebugPrivilege	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeRestorePrivilege	4672	WerFault.exe
Token: SeBackupPrivilege	4672	WerFault.exe
Token: SeDebugPrivilege	4672	WerFault.exe
Token: SeDebugPrivilege	4572	regsvcs.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.execmd.execmd.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 3928	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 3928	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 3928	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2584	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2584	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2584	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2700	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2700	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2700	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2600	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2600	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2600	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 744 wrote to memory of 2208	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 744 wrote to memory of 2208	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 744 wrote to memory of 2208	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 2208 wrote to memory of 1908	2208	cmd.exe	timeout.exe
PID 2208 wrote to memory of 1908	2208	cmd.exe	timeout.exe
PID 2208 wrote to memory of 1908	2208	cmd.exe	timeout.exe
PID 744 wrote to memory of 4300	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 744 wrote to memory of 4300	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 744 wrote to memory of 4300	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 4300 wrote to memory of 4376	4300	cmd.exe	timeout.exe
PID 4300 wrote to memory of 4376	4300	cmd.exe	timeout.exe
PID 4300 wrote to memory of 4376	4300	cmd.exe	timeout.exe
PID 744 wrote to memory of 4416	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 744 wrote to memory of 4416	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 744 wrote to memory of 4416	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	cmd.exe
PID 4416 wrote to memory of 4524	4416	cmd.exe	timeout.exe
PID 4416 wrote to memory of 4524	4416	cmd.exe	timeout.exe
PID 4416 wrote to memory of 4524	4416	cmd.exe	timeout.exe
PID 744 wrote to memory of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe
PID 744 wrote to memory of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe
PID 744 wrote to memory of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe
PID 744 wrote to memory of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe
PID 744 wrote to memory of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe
PID 744 wrote to memory of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe
PID 744 wrote to memory of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe
PID 744 wrote to memory of 4572	744	SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe	regsvcs.exe

C:\Users\Admin\AppData\Local\Temp\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe
"C:\Users\Admin\AppData\Local\Temp\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOPORTE DE TRANSFERENCIA BANCO AGRARIO DE COLOMBIA.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 2348
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Disabling Security Tools

3

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
873e0ac731fa738fe8410881d65c9543

SHA1
2cf62e0a63a11a6762c534664b166fec86c8972a

SHA256
27cacad2553aaa653369c6c9aaaed3b6579a6cfa5b9417d970bd602ff5f8f895

SHA512
c84f1a3cb16f7259ea7f14a1e7cdea8043440341184e2ff06272120488b3e5e195f33a5770fb2b834568f24e68e9e0a0b06df9ff3588e09fab07286097563411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b4d82b170ee193af6afd9de204aad6df

SHA1
e213b8c71142d033d00c13818bf4b6f775e3f443

SHA256
06bda0f8a4ebd55fbda83d89aa04205e2001e9956d039c79b9a0474b075292fc

SHA512
4426658327678226c9a25a67fb3d0e2430b35f463aeaa081690594b0cf7ef953dc0ebd32c2916f5c9ecc74e431b0a3863675fa5856e05dc912c1c106a1a7b079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4a0e8d8e29918ea0ac8e599c23408a52

SHA1
7db75153fbb19312085eaac0cb10f1602506a1e7

SHA256
99fcfbdccaec1a4095184fc04a4f17f054f716d092ee7cab29ace65ae167077f

SHA512
abf755c810be91070f36b2db3ed18425ffd5e57a1ec2cd0b7d9184dc84002953b98c2524f297746a72749c9bd871f60cefa59d3809df270073947af9db0268b6

Download Submit
memory/744-9-0x0000000004EA0000-0x0000000004EC7000-memory.dmp

Filesize
156KB

Download
memory/744-5-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/744-7-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/744-3-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/744-8-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/744-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/744-6-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1908-55-0x0000000000000000-mapping.dmp

Download
memory/2208-48-0x0000000000000000-mapping.dmp

Download
memory/2584-11-0x0000000000000000-mapping.dmp

Download
memory/2584-16-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-45-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/2584-98-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

Filesize
4KB

Download
memory/2584-111-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download
memory/2600-90-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

Filesize
4KB

Download
memory/2600-22-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-13-0x0000000000000000-mapping.dmp

Download
memory/2600-86-0x0000000008C70000-0x0000000008C71000-memory.dmp

Filesize
4KB

Download
memory/2700-19-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-42-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/2700-12-0x0000000000000000-mapping.dmp

Download
memory/2700-51-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/2700-60-0x0000000008F40000-0x0000000008F73000-memory.dmp

Filesize
204KB

Download
memory/3928-14-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3928-15-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/3928-30-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3928-33-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/3928-103-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/3928-28-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/3928-10-0x0000000000000000-mapping.dmp

Download
memory/3928-26-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/3928-17-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/4300-96-0x0000000000000000-mapping.dmp

Download
memory/4376-101-0x0000000000000000-mapping.dmp

Download
memory/4416-102-0x0000000000000000-mapping.dmp

Download
memory/4524-119-0x0000000000000000-mapping.dmp

Download
memory/4572-125-0x000000000040C72E-mapping.dmp

Download
memory/4572-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4572-126-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/4672-129-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads