Overview

overview

10

Static

static

3

cheon_H4.03-X64.exe

windows10-ltsc_2021-x64

10

cheon_H4.03-X64.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/04/2025, 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cheon_H4.03-X64.exe

  • Size

    88.8MB

  • MD5

    ce1d8c9970b30019e5b35b7ba968107b

  • SHA1

    b1e0898deac62e2a763bbd67e973c60d1d2b7267

  • SHA256

    9c0f551fa5e93c3f30c90d89f49d811296f84cdb17c45c005559125c275fb7b7

  • SHA512

    1742082598e15065880915168f9958b7ca7b2b8232047836d3f67a78538eec9ed21618c8f5e1b60f321e08a381162aeca3227ff0150cce688ef350b438f9cc2d

  • SSDEEP

    1572864:4W3kvckR7qEWlVaDkRqDX4beH5HY+9OY0AbOb84I8FalUxTv1+:4WtW7jCcIqWeH6SOVXI8Fai1+

Score
10/10
valleyrat_s2backdoordiscoveryexecution

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

C2

pniu.fun:10501

pniu.fun:10502

pniu.fun:10503
Attributes
  • campaign_date

    2025. 4. 3

Signatures

  • ValleyRat

    ValleyRat stage2 is a backdoor written in C++.

    backdoorvalleyrat_s2
  • Valleyrat_s2 family
    valleyrat_s2
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates processes with tasklist 1 TTPs 4 IoCs
    discovery
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 4 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheon_H4.03-X64.exe
    "C:\Users\Admin\AppData\Local\Temp\cheon_H4.03-X64.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -ExclusionPath C:\, D:\, E:\, F:\, G:\, H:\, I:\, J:\, K:\, L:\, M:\, N:\, O:\, P:\, Q:\, R:\, S:\, T:\, U:\, V:\, W:\, X:\, Y:\, Z:\
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\SysWOW64\wscript.exe
      wscript //B "C:\Users\Admin\AppData\Roaming\TrustAsia\Logs.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\TrustAsia\TrustAsia.ps1"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yr2oy0uf\yr2oy0uf.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5432
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6A6.tmp" "c:\Users\Admin\AppData\Local\Temp\yr2oy0uf\CSC5D79D26EE17B4E68A7C5D4BFF132816.TMP"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5364
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /B /c "C:\Users\Admin\AppData\Local\Temp\monitor.bat"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 2000"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "2000"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2500
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1772
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 2000"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3996
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "2000"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4544
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:5232
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 2000"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1372
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "2000"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3172
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:952
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /fi "PID eq 2000"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5144
          • C:\Windows\SysWOW64\findstr.exe
            findstr /i "2000"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5720
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 15
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2164
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3476
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5724
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4052
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:6008
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4612
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4740
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:740
    • C:\Users\Admin\AppData\Local\SGuardSvc32.exe
      "C:\Users\Admin\AppData\Local\SGuardSvc32.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5420
      • C:\Windows\SysWOW64\edpnotify.exe
        C:\Windows\SysWOW64\edpnotify.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d0c46cad6c0778401e21910bd6b56b70

    SHA1

    7be418951ea96326aca445b8dfe449b2bfa0dca6

    SHA256

    9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

    SHA512

    057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    431708e4f1180f5dafd3573e9eac737d

    SHA1

    7b09690f8b6c7ffb1fe4b35ede984dfdb645dc8c

    SHA256

    27ac0f22ba123595ac6dd038be3e4971d4230a6e58e2d4fa2d12bd1ca9b888b8

    SHA512

    d1f5c6410c3135d5c4bc1e966a4eac67632cd961273cd3369b9d1a15d21b8791bdec546265f3b03855de6f0a72f40448f911ed4ef49cfd08dc9dbb0635f02121

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    59a1b4207b28cc961806c6481dc54243

    SHA1

    171f05b59a2c97b5d21395a5d597088330723354

    SHA256

    c349a0e206ff0020d2e55d7f97376c3945fc8cf093de99acf51b797d7f144003

    SHA512

    a88a68beb9a3b86caeb8865e8e11513772b4b101dfd3df0b44d9d4589b0f79aef6f554601f176eee6f8feea185d840e55c41693bef6d983bb43f5b81071bb353

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    20KB

    MD5

    b818d2393360918f3b02a2089c1a2db7

    SHA1

    3a00828da3b45e7764125beab243ef12788360f8

    SHA256

    80899e9cf781815833a0247cbf871f159cda996d5d90b212820b1ae8d6ec07f6

    SHA512

    29995b4790d9012876a4e465de8cd25f0c212d520851ab043e0eb370b6b2913b0e88b62ed174855276897e3ab7501fe834949a69f8bc5be48afbf26273d61a8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    20KB

    MD5

    7ced792184ed22a07a8ecab82cec290e

    SHA1

    07ef9ca137d1567c5d80ff75ccd9b6d5e242bb35

    SHA256

    bbfdd05de80edc9e260a1174a36dc366db58354076f387f548dd2eae77257bbe

    SHA512

    68cc2ae54138fa20d096a1b800f455356d890c9e1c9a0c09a627d5c929c0718013ab1286b8719ef8e7dc8d65283f0900472ea442a7c3f945cc90ec08b499c3e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Protected.ini
    Filesize

    207KB

    MD5

    ec52fa862a056975e93d2acf7889cfcf

    SHA1

    cc973fc28c8deb59a3c79375e1d247761356874c

    SHA256

    6489e9e620d90228b431544d990a99d1c94ab7f8e68b2daae5e396cf1759bfec

    SHA512

    8e68f6338ddff7abae22d568fbb6a4dc9d4a30e11b1c4d47a3b06496036a3b0437576d681b801114734a53bfcaea48cdd789061ca7d44a0a4fd71384da765a71

    Download Submit

  • C:\Users\Admin\AppData\Local\Protected.json
    Filesize

    194KB

    MD5

    f5088d8e9f74af65dfce439c91ce5fda

    SHA1

    a5b87c273bdf258e746e6e21789e3033cd3eecfb

    SHA256

    459b001e277302d93177a59500f1fa99af2c02354ff296612406055ec62df45f

    SHA512

    f33751016a8ebc961ca979885212f8a7b47ebc8d6b610274f38e06908341ec38393f6b1eac6df412f45b66014254a73b53775ed19f929a7d3b38a62cc8a24f45

    Download Submit

  • C:\Users\Admin\AppData\Local\SGuardSvc32.exe
    Filesize

    725KB

    MD5

    923b08492146a6a3b8bd269eb25f6372

    SHA1

    e263b5265abeae655f0ef5000196dbb80c6eca9b

    SHA256

    2fdf2af92b069e06d9cb1d9713a6e34b7223a60214d17bf3f8ee0a4d6c9a4480

    SHA512

    6f51bfd0d5b195e218231470b4bc8d4700c804252d1af48dde13a2f298e15ff725bb0641fdc868dcaef381bd805b4a7a9433ed695198001c21eafd93c9d5867f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESC6A6.tmp
    Filesize

    1KB

    MD5

    15457fbfffce5df7365fba257512666b

    SHA1

    8283bca42655d8c08d43fb498c959317939f5ceb

    SHA256

    d5d4ff58a20632e76d1aa7416394838bcdc75a4e3835b4e4dba5c1c899ceb5a1

    SHA512

    310faa29899d849540b74fda726ecc08dc69d669ba2101a434ffaf93b9a1c08c900e40ddb9ed398f89260ee1cee6f464a9412676c5a445ffe28d6a64ca5396c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yj3pn3qh.le1.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\monitor.bat
    Filesize

    308B

    MD5

    f228f13dbde97578c2b622137fdee789

    SHA1

    1fe68592840fe03e88a181fbceca932826e9ff69

    SHA256

    61220af764ee8d7c326e4c77f66e97adf93d469c7d21c0490b377838d0d5aefd

    SHA512

    250b12c800a427ec11dcb125b573c2c304cd570f32acc5faf285d0cf43198eb7d886c44fe2ff9a87977e8b53ee239577530ce232a38db4879959755bc4703cf7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg5729.tmp\InstallOptions.dll
    Filesize

    15KB

    MD5

    d095b082b7c5ba4665d40d9c5042af6d

    SHA1

    2220277304af105ca6c56219f56f04e894b28d27

    SHA256

    b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

    SHA512

    61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg5729.tmp\System.dll
    Filesize

    12KB

    MD5

    4add245d4ba34b04f213409bfe504c07

    SHA1

    ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    SHA256

    9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    SHA512

    1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg5729.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    d0c54a2441ca381886b5f8b6d036eeb6

    SHA1

    37337eae8f33122e0d366d22abbfdefb50a84b72

    SHA256

    cdfb51a0e59d9be72064e07c3e58d2d156217c89675ab82f066d1d3550de60fd

    SHA512

    0d67acf7ed929f3d6aa66dc2af4b54497c92514d8036879e38e68c9b6ec7984692038ab1ac4fbfa81224baafa9e70aa9a40ae9cd4fd03ed0892a6ebed1885519

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg5729.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    5b02431f7e9f169447b24bbba730710d

    SHA1

    250033d3113b34f18972fa6cc6d3cbafec777eaa

    SHA256

    7853b8ce74fb50e862cb1389ade96ae7cb4f2162725e5f7687a04f8e8a1c60cd

    SHA512

    87a128c7bff761ac5e3bbf6ee3b0ff257df7b1299de1668fbf937d653575677a465860d0bb2ebba9ddd7e7904a970182fe0ba0d6c6e4c63513d56502f24f2f1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg5729.tmp\ioSpecial.ini
    Filesize

    1KB

    MD5

    60224df40b627cac1c3003659cb2bf20

    SHA1

    a6d77901e8bf6d0c1e0cb439ce83d1b237582e06

    SHA256

    cdb1faff82e7a5d699052d7505a5f4869288e8d0c39f19c563cc414f9d07d112

    SHA512

    76ad6bcedf51a0e0272e584e7cdc665e90704dd160ec6740c83b26cc91e3af5bfbccaa994821d1984a28eb76b5f75a6d7ebf389662e8acdc45197b6a0b21177e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg5729.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    b4579bc396ace8cafd9e825ff63fe244

    SHA1

    32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

    SHA256

    01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

    SHA512

    3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\target.pid
    Filesize

    4B

    MD5

    08f90c1a417155361a5c4b8d297e0d78

    SHA1

    a4ac914c09d7c097fe1f4f96b897e625b6922069

    SHA256

    81a83544cf93c245178cbc1620030f1123f435af867c79d87135983c52ab39d9

    SHA512

    57acf66b146e4f606413e8707ffae882a5ea0228de3455c8efffd439f6ef1a2a04eec109d2879bf64c1d7e05cdd808a14db5c5b0f6a4ccf758d0c998058b53cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yr2oy0uf\yr2oy0uf.dll
    Filesize

    3KB

    MD5

    ff90fd0a5cc63d43bd9ff7a6acc6c51d

    SHA1

    a0eac939abdffd1db2460709fba7188a5f610dc4

    SHA256

    8db015b160b34f92834ca5505a3cc93f163f275221f402dd7cd3959801eb80d8

    SHA512

    cf15c63910d7c3ba701741038558b1c559b0a87e535949fad865e636c19eec12cecd86c290b701039c16bcda47323bb7080c3c3ae734f4af1a08209f35c4dee4

    Download Submit

  • C:\Users\Admin\AppData\Local\updated.ps1
    Filesize

    221B

    MD5

    9b111b45096065d52a01747528eed794

    SHA1

    6b54320b17f2f26dfdf07b0e3d1dcf9bc98a42c6

    SHA256

    77ef6e260b031433d6e78bd885166896649ed1289bb65ed2cd1343424583e305

    SHA512

    3b067d8ed3a61816e09248817a3f326203dce5619a1e4a6aa007f7cc8e18f89609a0c128e2a8c03762d3107c21f13388bf3be5ea6e2120ed3f1d2a2623a773cf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TrustAsia\Config.ini
    Filesize

    565KB

    MD5

    b6e7cb06da2ffea87f887b7d5d514d71

    SHA1

    d5d21843afb8e7bb134b532ef449d5b9a7b2fecc

    SHA256

    e958883b06092e7140470fdafd51d0fcad6ef0353c1409ef10ad06799ccee87a

    SHA512

    5b49c13324e2d1c79345c462f55f21dbecff636d0cac89006b5e6930f66a271ca64856e178ebc67a12d0ca6d3286a52aa3c702c8fccbf9e53635573409fe5bf5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TrustAsia\Logs.vbs
    Filesize

    296B

    MD5

    a6358b8bd98902002cbc1465bf276f01

    SHA1

    dfcb4633d17d8a15588d34a34cb6328a33e555c1

    SHA256

    3e5bec0f2a7b1b3c4d921580d0028fb6807b0589ca8d3496070d39c485ed91fc

    SHA512

    0024b856b828b37a275840157de7322d5713bc1136f5920dcd2684a37e0612c1c8823c15544bb5db8333a37821a38c83c6f587548fb551f13102cb3037eec469

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TrustAsia\TrustAsia.ps1
    Filesize

    1KB

    MD5

    9b9d43d1e8a3579a0e81e35db8e84c46

    SHA1

    63a89e50f8050ad7a89745bcdb51180373e33c4c

    SHA256

    0a04147427707bfac19f7712006c44baf869e1fb76fb5246f90e00c6e3cdc0e5

    SHA512

    f2f09b6aa0c98a2542d46eaa371ed0b6ecddf7fdd0e3de2223fd3b6643dc9d81e62d72f7666b089cb4586af2f6d34fb052a5009ff9aea523d404bd1c1c3be815

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\yr2oy0uf\CSC5D79D26EE17B4E68A7C5D4BFF132816.TMP
    Filesize

    652B

    MD5

    9eee505cbdd112547d99b5d7ec1b6eb9

    SHA1

    c65456b2de47e86be064369b428de58ef0de2e3f

    SHA256

    3bf3560ddc8fcb2a34e6fe33612bb79541ee8fd9302f5c250859c0aa0b1934ee

    SHA512

    ca48a96f719f39c1381ccd34c6123f36e427513f72b67a8d854f5d90aa53da437fc5937dcd3c6d05f4377db4d249d18bfaef0140ef7d0e03be03abe78dc87497

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\yr2oy0uf\yr2oy0uf.0.cs
    Filesize

    266B

    MD5

    c09bbaf83f7558f61a7235b2860d45d1

    SHA1

    ab169ea364e917f698a69a760b3aceec33a6b209

    SHA256

    aa7ae06461aae58bb22b9c54bf79a1b42e153985f7cc9612bf02439204819d5c

    SHA512

    5b2e56406f1d620d2aa4fcfe7e2d824e583657e452b4a9cbf5be64d26d3050e9adf9ea4f1ec395eb514c05530eea5a3edb9b57b71fc34523136ad751675c52db

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\yr2oy0uf\yr2oy0uf.cmdline
    Filesize

    369B

    MD5

    180ea61d908c2226d7fd9b6f4fc687d5

    SHA1

    b7af846b169dba08a01b8350fc80883928dd2d38

    SHA256

    1dc429cf982f7058c872426192907a5517ea97fba75f47113d2b86bde84a0370

    SHA512

    04a2ea0777f5c5da32874e538df2e81dd1480632c990b79c231ecd5eaab468d652cacea39563a219ca0e2570b837b13f0054f7e9b786f8febdfbb5b89b18a915

    Download Submit

  • memory/740-389-0x0000000070360000-0x00000000703AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/740-390-0x00000000704C0000-0x0000000070817000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2000-185-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2000-401-0x0000000007FB0000-0x0000000007FE7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2000-377-0x00000000048F0000-0x0000000004912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-370-0x00000000048F0000-0x0000000004912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-375-0x00000000048F0000-0x0000000004912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-399-0x00000000048F0000-0x0000000004912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-400-0x0000000007FB0000-0x0000000007FE7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2000-146-0x0000000005680000-0x00000000059D7000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2000-332-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2000-149-0x0000000006020000-0x000000000606C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2000-405-0x0000000007FB0000-0x0000000007FE7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2000-153-0x0000000006090000-0x00000000060B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-154-0x00000000073F0000-0x0000000007996000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2000-404-0x0000000007FB0000-0x0000000007FE7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2000-276-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2000-269-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2000-408-0x0000000010000000-0x0000000010092000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2000-410-0x00000000048F0000-0x0000000004912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-170-0x0000000006E50000-0x0000000006E58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2000-411-0x00000000048F0000-0x0000000004912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2000-376-0x00000000048F0000-0x0000000004912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2732-85-0x000000007399E000-0x000000007399F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2732-105-0x0000000070350000-0x000000007039C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2732-103-0x0000000006BC0000-0x0000000006C0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2732-101-0x00000000063F0000-0x0000000006747000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2732-104-0x0000000007A90000-0x0000000007AC4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2732-107-0x0000000073990000-0x0000000074141000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2732-92-0x0000000006380000-0x00000000063E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2732-91-0x0000000006310000-0x0000000006376000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2732-120-0x0000000007C10000-0x0000000007C2A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2732-121-0x0000000007C80000-0x0000000007C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2732-90-0x0000000005B10000-0x0000000005B32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2732-89-0x0000000073990000-0x0000000074141000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2732-122-0x0000000007EB0000-0x0000000007F46000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2732-123-0x0000000007E20000-0x0000000007E31000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2732-102-0x00000000068B0000-0x00000000068CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2732-125-0x0000000007E70000-0x0000000007E85000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2732-119-0x0000000008250000-0x00000000088CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2732-88-0x0000000005B70000-0x000000000619A000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2732-87-0x0000000073990000-0x0000000074141000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2732-126-0x0000000007F70000-0x0000000007F8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2732-115-0x0000000006EC0000-0x0000000006EDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2732-124-0x0000000007E60000-0x0000000007E6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2732-86-0x0000000005430000-0x0000000005466000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2732-116-0x0000000007AD0000-0x0000000007B74000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2732-118-0x0000000073990000-0x0000000074141000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2732-130-0x0000000073990000-0x0000000074141000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2732-127-0x0000000007F50000-0x0000000007F58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2732-117-0x0000000073990000-0x0000000074141000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4052-310-0x0000000070360000-0x00000000703AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4740-360-0x0000000070360000-0x00000000703AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4740-386-0x0000000007540000-0x0000000007551000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4740-369-0x0000000007280000-0x0000000007324000-memory.dmp

    Filesize

    656KB

    Download

  • memory/5420-179-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/5560-191-0x0000000010000000-0x0000000010037000-memory.dmp

    Filesize

    220KB

    Download

  • memory/5560-190-0x0000000001200000-0x0000000001234000-memory.dmp

    Filesize

    208KB

    Download

  • memory/5724-319-0x0000000007880000-0x0000000007895000-memory.dmp

    Filesize

    84KB

    Download

  • memory/5724-309-0x0000000007840000-0x0000000007851000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5724-308-0x0000000007580000-0x0000000007624000-memory.dmp

    Filesize

    656KB

    Download

  • memory/5724-299-0x0000000070360000-0x00000000703AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/6008-334-0x00000000704C0000-0x0000000070817000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/6008-333-0x0000000070360000-0x00000000703AC000-memory.dmp

    Filesize

    304KB

    Download