asyncrat | df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

Analysis

max time kernel
650s
max time network
662s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VQUOHFWAS01RVBEUJAS_001.exe
Size

300.0MB
MD5

6a82206ff1fe448ca175471b12b246ab
SHA1

69b656aef476f98feb4d3303a1883026aadf22ca
SHA256

df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9
SHA512

0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d
SSDEEP

3072:xdLp/U+4Ut4dakGX8m0hBtQNq7t/ykXww6r50iis79KaTYVY:f4q4QkXDFI5Fjhd

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

edwardthornton163.duckdns.org:6444

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 17 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1668-63-0x0000000000090000-0x00000000000A6000-memory.dmp	asyncrat
behavioral1/memory/1668-62-0x0000000000090000-0x00000000000A6000-memory.dmp	asyncrat
behavioral1/memory/1668-65-0x00000000004109EE-mapping.dmp	asyncrat
behavioral1/memory/1668-67-0x0000000000090000-0x00000000000A6000-memory.dmp	asyncrat
behavioral1/memory/1668-66-0x0000000000090000-0x00000000000A6000-memory.dmp	asyncrat
behavioral1/memory/1668-71-0x0000000000090000-0x00000000000A6000-memory.dmp	asyncrat
behavioral1/memory/1668-74-0x0000000000090000-0x00000000000A6000-memory.dmp	asyncrat
behavioral1/memory/1356-89-0x00000000004109EE-mapping.dmp	asyncrat
behavioral1/memory/844-114-0x00000000004109EE-mapping.dmp	asyncrat
behavioral1/memory/1828-138-0x00000000004109EE-mapping.dmp	asyncrat
behavioral1/memory/1828-142-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1828-140-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1652-157-0x00000000004109EE-mapping.dmp	asyncrat
behavioral1/memory/1260-176-0x00000000004109EE-mapping.dmp	asyncrat
behavioral1/memory/552-194-0x00000000004109EE-mapping.dmp	asyncrat
behavioral1/memory/1900-217-0x00000000004109EE-mapping.dmp	asyncrat
behavioral1/memory/1712-242-0x00000000004109EE-mapping.dmp	asyncrat

Executes dropped EXE 8 IoCs

Processes:

uerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exe

pid process

1984 uerdfd.exe
1708 uerdfd.exe
1096 uerdfd.exe
592 uerdfd.exe
1972 uerdfd.exe
188 uerdfd.exe
1832 uerdfd.exe
1988 uerdfd.exe

pid	process
1984	uerdfd.exe
1708	uerdfd.exe
1096	uerdfd.exe
592	uerdfd.exe
1972	uerdfd.exe
188	uerdfd.exe
1832	uerdfd.exe
1988	uerdfd.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

VQUOHFWAS01RVBEUJAS_001.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exe

description	pid	process	target process
PID 860 set thread context of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 1984 set thread context of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1708 set thread context of 844	1708	uerdfd.exe	RegAsm.exe
PID 1096 set thread context of 1828	1096	uerdfd.exe	RegAsm.exe
PID 592 set thread context of 1652	592	uerdfd.exe	RegAsm.exe
PID 1972 set thread context of 1260	1972	uerdfd.exe	RegAsm.exe
PID 188 set thread context of 552	188	uerdfd.exe	RegAsm.exe
PID 1832 set thread context of 1900	1832	uerdfd.exe	RegAsm.exe
PID 1988 set thread context of 1712	1988	uerdfd.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1592	schtasks.exe
972	schtasks.exe
1340	schtasks.exe
1596	schtasks.exe
764	schtasks.exe
1356	schtasks.exe
272	schtasks.exe
840	schtasks.exe
1984	schtasks.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1668	RegAsm.exe
Token: SeDebugPrivilege	1356	RegAsm.exe
Token: SeDebugPrivilege	844	RegAsm.exe
Token: SeDebugPrivilege	1828	RegAsm.exe
Token: SeDebugPrivilege	1652	RegAsm.exe
Token: SeDebugPrivilege	1260	RegAsm.exe
Token: SeDebugPrivilege	552	RegAsm.exe
Token: SeDebugPrivilege	1900	RegAsm.exe
Token: SeDebugPrivilege	1712	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VQUOHFWAS01RVBEUJAS_001.execmd.exetaskeng.exeuerdfd.execmd.exeuerdfd.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 1768	860	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 860 wrote to memory of 1768	860	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 860 wrote to memory of 1768	860	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 860 wrote to memory of 1768	860	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 1768 wrote to memory of 272	1768	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 272	1768	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 272	1768	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 272	1768	cmd.exe	schtasks.exe
PID 860 wrote to memory of 1512	860	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 860 wrote to memory of 1512	860	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 860 wrote to memory of 1512	860	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 860 wrote to memory of 1512	860	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 860 wrote to memory of 1668	860	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 1452 wrote to memory of 1984	1452	taskeng.exe	uerdfd.exe
PID 1452 wrote to memory of 1984	1452	taskeng.exe	uerdfd.exe
PID 1452 wrote to memory of 1984	1452	taskeng.exe	uerdfd.exe
PID 1452 wrote to memory of 1984	1452	taskeng.exe	uerdfd.exe
PID 1984 wrote to memory of 1508	1984	uerdfd.exe	cmd.exe
PID 1984 wrote to memory of 1508	1984	uerdfd.exe	cmd.exe
PID 1984 wrote to memory of 1508	1984	uerdfd.exe	cmd.exe
PID 1984 wrote to memory of 1508	1984	uerdfd.exe	cmd.exe
PID 1984 wrote to memory of 2000	1984	uerdfd.exe	cmd.exe
PID 1984 wrote to memory of 2000	1984	uerdfd.exe	cmd.exe
PID 1984 wrote to memory of 2000	1984	uerdfd.exe	cmd.exe
PID 1984 wrote to memory of 2000	1984	uerdfd.exe	cmd.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1984 wrote to memory of 1356	1984	uerdfd.exe	RegAsm.exe
PID 1508 wrote to memory of 972	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 972	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 972	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 972	1508	cmd.exe	schtasks.exe
PID 1452 wrote to memory of 1708	1452	taskeng.exe	uerdfd.exe
PID 1452 wrote to memory of 1708	1452	taskeng.exe	uerdfd.exe
PID 1452 wrote to memory of 1708	1452	taskeng.exe	uerdfd.exe
PID 1452 wrote to memory of 1708	1452	taskeng.exe	uerdfd.exe
PID 1708 wrote to memory of 1648	1708	uerdfd.exe	cmd.exe
PID 1708 wrote to memory of 1648	1708	uerdfd.exe	cmd.exe
PID 1708 wrote to memory of 1648	1708	uerdfd.exe	cmd.exe
PID 1708 wrote to memory of 1648	1708	uerdfd.exe	cmd.exe
PID 1648 wrote to memory of 1340	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 1340	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 1340	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 1340	1648	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\VQUOHFWAS01RVBEUJAS_001.exe
"C:\Users\Admin\AppData\Local\Temp\VQUOHFWAS01RVBEUJAS_001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:272

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\VQUOHFWAS01RVBEUJAS_001.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\taskeng.exe
taskeng.exe {88DFE947-776A-47F1-BAA2-AF602B69E255} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:972

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
3⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
3⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1096

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
PID:1904

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:840

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
3⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:592

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
3⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1972

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:188

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
PID:840

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:764

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
3⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1832

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
PID:1732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1356

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
3⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1988

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
PID:952

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
3⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/188-182-0x0000000000000000-mapping.dmp

Download
memory/272-57-0x0000000000000000-mapping.dmp

Download
memory/552-194-0x00000000004109EE-mapping.dmp

Download
memory/592-146-0x0000000000F80000-0x0000000000FAC000-memory.dmp

Filesize
176KB

Download
memory/592-144-0x0000000000000000-mapping.dmp

Download
memory/764-187-0x0000000000000000-mapping.dmp

Download
memory/840-131-0x0000000000000000-mapping.dmp

Download
memory/840-185-0x0000000000000000-mapping.dmp

Download
memory/844-114-0x00000000004109EE-mapping.dmp

Download
memory/860-54-0x00000000001D0000-0x00000000001FC000-memory.dmp

Filesize
176KB

Download
memory/860-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/952-233-0x0000000000000000-mapping.dmp

Download
memory/972-100-0x0000000000000000-mapping.dmp

Download
memory/1096-127-0x0000000000A10000-0x0000000000A3C000-memory.dmp

Filesize
176KB

Download
memory/1096-125-0x0000000000000000-mapping.dmp

Download
memory/1136-107-0x0000000000000000-mapping.dmp

Download
memory/1260-176-0x00000000004109EE-mapping.dmp

Download
memory/1340-106-0x0000000000000000-mapping.dmp

Download
memory/1356-89-0x00000000004109EE-mapping.dmp

Download
memory/1356-210-0x0000000000000000-mapping.dmp

Download
memory/1508-81-0x0000000000000000-mapping.dmp

Download
memory/1512-58-0x0000000000000000-mapping.dmp

Download
memory/1532-149-0x0000000000000000-mapping.dmp

Download
memory/1560-168-0x0000000000000000-mapping.dmp

Download
memory/1592-234-0x0000000000000000-mapping.dmp

Download
memory/1596-169-0x0000000000000000-mapping.dmp

Download
memory/1628-167-0x0000000000000000-mapping.dmp

Download
memory/1648-105-0x0000000000000000-mapping.dmp

Download
memory/1652-157-0x00000000004109EE-mapping.dmp

Download
memory/1668-67-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1668-66-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1668-71-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1668-74-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1668-59-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1668-60-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1668-65-0x00000000004109EE-mapping.dmp

Download
memory/1668-62-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1668-63-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/1676-130-0x0000000000000000-mapping.dmp

Download
memory/1708-235-0x0000000000000000-mapping.dmp

Download
memory/1708-101-0x0000000000000000-mapping.dmp

Download
memory/1708-103-0x0000000000180000-0x00000000001AC000-memory.dmp

Filesize
176KB

Download
memory/1712-242-0x00000000004109EE-mapping.dmp

Download
memory/1732-208-0x0000000000000000-mapping.dmp

Download
memory/1768-56-0x0000000000000000-mapping.dmp

Download
memory/1828-142-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1828-138-0x00000000004109EE-mapping.dmp

Download
memory/1828-140-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1832-205-0x0000000000000000-mapping.dmp

Download
memory/1900-217-0x00000000004109EE-mapping.dmp

Download
memory/1904-129-0x0000000000000000-mapping.dmp

Download
memory/1908-186-0x0000000000000000-mapping.dmp

Download
memory/1972-163-0x0000000000000000-mapping.dmp

Download
memory/1972-165-0x00000000011F0000-0x000000000121C000-memory.dmp

Filesize
176KB

Download
memory/1984-209-0x0000000000000000-mapping.dmp

Download
memory/1984-150-0x0000000000000000-mapping.dmp

Download
memory/1984-79-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1984-77-0x0000000000000000-mapping.dmp

Download
memory/1988-229-0x0000000000000000-mapping.dmp

Download
memory/1988-231-0x0000000001310000-0x000000000133C000-memory.dmp

Filesize
176KB

Download
memory/2000-82-0x0000000000000000-mapping.dmp

Download
memory/2028-148-0x0000000000000000-mapping.dmp

Download