asyncrat | df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

Analysis

max time kernel
598s
max time network
605s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
14-10-2022 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VQUOHFWAS01RVBEUJAS_001.exe
Size

300.0MB
MD5

6a82206ff1fe448ca175471b12b246ab
SHA1

69b656aef476f98feb4d3303a1883026aadf22ca
SHA256

df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9
SHA512

0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d
SSDEEP

3072:xdLp/U+4Ut4dakGX8m0hBtQNq7t/ykXww6r50iis79KaTYVY:f4q4QkXDFI5Fjhd

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

edwardthornton163.duckdns.org:6444

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4220-204-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/4220-257-0x0000000000720000-0x0000000000736000-memory.dmp	asyncrat
behavioral2/memory/1264-346-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/4108-498-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/4964-639-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/4516-779-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/4244-919-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/3768-1059-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/1268-1199-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/3888-1339-0x00000000004109EE-mapping.dmp	asyncrat
behavioral2/memory/3560-1479-0x00000000004109EE-mapping.dmp	asyncrat

Executes dropped EXE 9 IoCs

Processes:

uerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exe

pid process

4968 uerdfd.exe
2200 uerdfd.exe
3448 uerdfd.exe
928 uerdfd.exe
2244 uerdfd.exe
428 uerdfd.exe
4960 uerdfd.exe
4936 uerdfd.exe
4144 uerdfd.exe

pid	process
4968	uerdfd.exe
2200	uerdfd.exe
3448	uerdfd.exe
928	uerdfd.exe
2244	uerdfd.exe
428	uerdfd.exe
4960	uerdfd.exe
4936	uerdfd.exe
4144	uerdfd.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

VQUOHFWAS01RVBEUJAS_001.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exeuerdfd.exe

description	pid	process	target process
PID 5112 set thread context of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 4968 set thread context of 1264	4968	uerdfd.exe	RegAsm.exe
PID 2200 set thread context of 4108	2200	uerdfd.exe	RegAsm.exe
PID 3448 set thread context of 4964	3448	uerdfd.exe	RegAsm.exe
PID 928 set thread context of 4516	928	uerdfd.exe	RegAsm.exe
PID 2244 set thread context of 4244	2244	uerdfd.exe	RegAsm.exe
PID 428 set thread context of 3768	428	uerdfd.exe	RegAsm.exe
PID 4960 set thread context of 1268	4960	uerdfd.exe	RegAsm.exe
PID 4936 set thread context of 3888	4936	uerdfd.exe	RegAsm.exe
PID 4144 set thread context of 3560	4144	uerdfd.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2976	schtasks.exe
4788	schtasks.exe
4716	schtasks.exe
1340	schtasks.exe
2924	schtasks.exe
4192	schtasks.exe
3208	schtasks.exe
4716	schtasks.exe
4160	schtasks.exe
160	schtasks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4220	RegAsm.exe
Token: SeDebugPrivilege	1264	RegAsm.exe
Token: SeDebugPrivilege	4108	RegAsm.exe
Token: SeDebugPrivilege	4964	RegAsm.exe
Token: SeDebugPrivilege	4516	RegAsm.exe
Token: SeDebugPrivilege	4244	RegAsm.exe
Token: SeDebugPrivilege	3768	RegAsm.exe
Token: SeDebugPrivilege	1268	RegAsm.exe
Token: SeDebugPrivilege	3888	RegAsm.exe
Token: SeDebugPrivilege	3560	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VQUOHFWAS01RVBEUJAS_001.execmd.exeuerdfd.execmd.exeuerdfd.execmd.exeuerdfd.execmd.exe

description	pid	process	target process
PID 5112 wrote to memory of 3344	5112	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 5112 wrote to memory of 3344	5112	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 5112 wrote to memory of 3344	5112	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 5112 wrote to memory of 1600	5112	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 5112 wrote to memory of 1600	5112	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 5112 wrote to memory of 1600	5112	VQUOHFWAS01RVBEUJAS_001.exe	cmd.exe
PID 3344 wrote to memory of 4192	3344	cmd.exe	schtasks.exe
PID 3344 wrote to memory of 4192	3344	cmd.exe	schtasks.exe
PID 3344 wrote to memory of 4192	3344	cmd.exe	schtasks.exe
PID 5112 wrote to memory of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 5112 wrote to memory of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 5112 wrote to memory of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 5112 wrote to memory of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 5112 wrote to memory of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 5112 wrote to memory of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 5112 wrote to memory of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 5112 wrote to memory of 4220	5112	VQUOHFWAS01RVBEUJAS_001.exe	RegAsm.exe
PID 4968 wrote to memory of 668	4968	uerdfd.exe	cmd.exe
PID 4968 wrote to memory of 668	4968	uerdfd.exe	cmd.exe
PID 4968 wrote to memory of 668	4968	uerdfd.exe	cmd.exe
PID 4968 wrote to memory of 620	4968	uerdfd.exe	cmd.exe
PID 4968 wrote to memory of 620	4968	uerdfd.exe	cmd.exe
PID 4968 wrote to memory of 620	4968	uerdfd.exe	cmd.exe
PID 668 wrote to memory of 3208	668	cmd.exe	schtasks.exe
PID 668 wrote to memory of 3208	668	cmd.exe	schtasks.exe
PID 668 wrote to memory of 3208	668	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 1264	4968	uerdfd.exe	RegAsm.exe
PID 4968 wrote to memory of 1264	4968	uerdfd.exe	RegAsm.exe
PID 4968 wrote to memory of 1264	4968	uerdfd.exe	RegAsm.exe
PID 4968 wrote to memory of 1264	4968	uerdfd.exe	RegAsm.exe
PID 4968 wrote to memory of 1264	4968	uerdfd.exe	RegAsm.exe
PID 4968 wrote to memory of 1264	4968	uerdfd.exe	RegAsm.exe
PID 4968 wrote to memory of 1264	4968	uerdfd.exe	RegAsm.exe
PID 4968 wrote to memory of 1264	4968	uerdfd.exe	RegAsm.exe
PID 2200 wrote to memory of 2056	2200	uerdfd.exe	cmd.exe
PID 2200 wrote to memory of 2056	2200	uerdfd.exe	cmd.exe
PID 2200 wrote to memory of 2056	2200	uerdfd.exe	cmd.exe
PID 2200 wrote to memory of 4288	2200	uerdfd.exe	cmd.exe
PID 2200 wrote to memory of 4288	2200	uerdfd.exe	cmd.exe
PID 2200 wrote to memory of 4288	2200	uerdfd.exe	cmd.exe
PID 2056 wrote to memory of 4716	2056	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 4716	2056	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 4716	2056	cmd.exe	schtasks.exe
PID 2200 wrote to memory of 4108	2200	uerdfd.exe	RegAsm.exe
PID 2200 wrote to memory of 4108	2200	uerdfd.exe	RegAsm.exe
PID 2200 wrote to memory of 4108	2200	uerdfd.exe	RegAsm.exe
PID 2200 wrote to memory of 4108	2200	uerdfd.exe	RegAsm.exe
PID 2200 wrote to memory of 4108	2200	uerdfd.exe	RegAsm.exe
PID 2200 wrote to memory of 4108	2200	uerdfd.exe	RegAsm.exe
PID 2200 wrote to memory of 4108	2200	uerdfd.exe	RegAsm.exe
PID 2200 wrote to memory of 4108	2200	uerdfd.exe	RegAsm.exe
PID 3448 wrote to memory of 1352	3448	uerdfd.exe	cmd.exe
PID 3448 wrote to memory of 1352	3448	uerdfd.exe	cmd.exe
PID 3448 wrote to memory of 1352	3448	uerdfd.exe	cmd.exe
PID 1352 wrote to memory of 4160	1352	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 4160	1352	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 4160	1352	cmd.exe	schtasks.exe
PID 3448 wrote to memory of 724	3448	uerdfd.exe	cmd.exe
PID 3448 wrote to memory of 724	3448	uerdfd.exe	cmd.exe
PID 3448 wrote to memory of 724	3448	uerdfd.exe	cmd.exe
PID 3448 wrote to memory of 4964	3448	uerdfd.exe	RegAsm.exe
PID 3448 wrote to memory of 4964	3448	uerdfd.exe	RegAsm.exe
PID 3448 wrote to memory of 4964	3448	uerdfd.exe	RegAsm.exe
PID 3448 wrote to memory of 4964	3448	uerdfd.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\VQUOHFWAS01RVBEUJAS_001.exe
"C:\Users\Admin\AppData\Local\Temp\VQUOHFWAS01RVBEUJAS_001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4192

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\VQUOHFWAS01RVBEUJAS_001.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3208

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4716

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4160

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:928

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
PID:2176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:160

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2244

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
PID:4120

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2976

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:4660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:428

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
PID:3704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4788

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:3668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4960

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
PID:936

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4936

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
PID:3996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4716

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Users\Admin\AppData\Roaming\uerdfd.exe
C:\Users\Admin\AppData\Roaming\uerdfd.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4144

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
2⤵
PID:2840

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\uerdfd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2924

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uerdfd.exe" "C:\Users\Admin\AppData\Roaming\uerdfd.exe"
2⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uerdfd.exe.log
Filesize
520B

MD5
f5a4ac8b07bce81c5d29a6701317315b

SHA1
b2a2b7735c475f5d30a2d94251b4d7c4f511a57e

SHA256
e6a1b02dd813c1f29bfd8361a4fc7ca6f24d2e41d5c3a66258cb66f3cb902f5a

SHA512
83a82932a9395f13e346a5e3e7fd27ed6d5fb6d32b6838107c24318add4c74f199d974d6f33acb0f6aa670a19a544c672f420249c792e336452ad37f304e7dc0

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
C:\Users\Admin\AppData\Roaming\uerdfd.exe
Filesize
300.0MB

MD5
6a82206ff1fe448ca175471b12b246ab

SHA1
69b656aef476f98feb4d3303a1883026aadf22ca

SHA256
df54b9860fdba9bd38a3cee13daac0ec72292701fc355d8011efcf8c37f2d2e9

SHA512
0acbfb370a445e5ca1cf7dfdd586c4b533e98a8940f25db99c0a282bb3440b0008412784c940969e1d00711ff91b93780f9d6ee10105b4a7391a84f2a901c57d

Download Submit
memory/160-752-0x0000000000000000-mapping.dmp

Download
memory/228-757-0x0000000000000000-mapping.dmp

Download
memory/620-330-0x0000000000000000-mapping.dmp

Download
memory/668-325-0x0000000000000000-mapping.dmp

Download
memory/724-616-0x0000000000000000-mapping.dmp

Download
memory/936-1166-0x0000000000000000-mapping.dmp

Download
memory/1264-346-0x00000000004109EE-mapping.dmp

Download
memory/1268-1199-0x00000000004109EE-mapping.dmp

Download
memory/1340-1173-0x0000000000000000-mapping.dmp

Download
memory/1352-606-0x0000000000000000-mapping.dmp

Download
memory/1600-179-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-185-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-188-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-174-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-175-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-173-0x0000000000000000-mapping.dmp

Download
memory/1600-186-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-176-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-187-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1600-178-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-1453-0x0000000000000000-mapping.dmp

Download
memory/1928-1171-0x0000000000000000-mapping.dmp

Download
memory/2056-465-0x0000000000000000-mapping.dmp

Download
memory/2056-1312-0x0000000000000000-mapping.dmp

Download
memory/2176-746-0x0000000000000000-mapping.dmp

Download
memory/2840-1446-0x0000000000000000-mapping.dmp

Download
memory/2924-1452-0x0000000000000000-mapping.dmp

Download
memory/2976-898-0x0000000000000000-mapping.dmp

Download
memory/3208-336-0x0000000000000000-mapping.dmp

Download
memory/3344-167-0x0000000000000000-mapping.dmp

Download
memory/3344-170-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3344-171-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3344-169-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3344-168-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3344-177-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/3560-1479-0x00000000004109EE-mapping.dmp

Download
memory/3668-1032-0x0000000000000000-mapping.dmp

Download
memory/3704-1026-0x0000000000000000-mapping.dmp

Download
memory/3768-1059-0x00000000004109EE-mapping.dmp

Download
memory/3888-1339-0x00000000004109EE-mapping.dmp

Download
memory/3996-1306-0x0000000000000000-mapping.dmp

Download
memory/4108-498-0x00000000004109EE-mapping.dmp

Download
memory/4120-886-0x0000000000000000-mapping.dmp

Download
memory/4160-612-0x0000000000000000-mapping.dmp

Download
memory/4192-183-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/4192-184-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/4192-180-0x0000000000000000-mapping.dmp

Download
memory/4192-181-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/4192-182-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-257-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/4220-204-0x00000000004109EE-mapping.dmp

Download
memory/4244-919-0x00000000004109EE-mapping.dmp

Download
memory/4288-470-0x0000000000000000-mapping.dmp

Download
memory/4516-779-0x00000000004109EE-mapping.dmp

Download
memory/4660-891-0x0000000000000000-mapping.dmp

Download
memory/4716-477-0x0000000000000000-mapping.dmp

Download
memory/4716-1313-0x0000000000000000-mapping.dmp

Download
memory/4788-1038-0x0000000000000000-mapping.dmp

Download
memory/4964-639-0x00000000004109EE-mapping.dmp

Download
memory/5112-120-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-141-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-157-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-156-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-155-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-154-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-153-0x0000000000F00000-0x0000000000F2C000-memory.dmp

Filesize
176KB

Download
memory/5112-152-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-151-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-159-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-160-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-150-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-149-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-148-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-147-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-172-0x0000000005EF0000-0x00000000063EE000-memory.dmp

Filesize
5.0MB

Download
memory/5112-146-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-161-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-145-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-144-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-143-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-142-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-162-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-158-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-140-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-163-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-138-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-164-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-139-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-137-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-136-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-165-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-135-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-134-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-133-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-132-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-131-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-130-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-129-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-128-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-127-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-166-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-126-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-125-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-124-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-123-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-122-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-121-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download