Malware Analysis Report

2024-11-13 16:42

Sample ID 230227-hg8enacb86
Target 819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c
SHA256 819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c
Tags
asyncrat purecrypter smokeloader 787878 --- tpb --- 787878 backdoor downloader loader persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c

Threat Level: Known bad

The file 819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c was found to be: Known bad.

Malicious Activity Summary

asyncrat purecrypter smokeloader 787878 --- tpb --- 787878 backdoor downloader loader persistence rat trojan

Detects Smokeloader packer

AsyncRat

Detect PureCrypter injector

SmokeLoader

PureCrypter

Modifies WinLogon for persistence

Async RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-27 06:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-27 06:43

Reported

2023-02-27 06:46

Platform

win7-20230220-en

Max time kernel

82s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe"

Signatures

AsyncRat

rat asyncrat

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Vipertex\\Saten.exe\"," C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Meow\\Meow.exe\"," C:\Users\Admin\AppData\Local\Temp\qekjvo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\bvhjvkvjer\\vvhkvkjre.exe\"," C:\Users\Admin\AppData\Local\Temp\rzaylm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Colors\\Pink.exe\"," C:\Users\Admin\AppData\Local\Temp\tjmotg.exe N/A

PureCrypter

loader downloader purecrypter

SmokeLoader

trojan backdoor smokeloader

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tjmotg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tjmotg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tjmotg.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tjmotg.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1484 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\qekjvo.exe
PID 1732 wrote to memory of 808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\qekjvo.exe
PID 1732 wrote to memory of 808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\qekjvo.exe
PID 1732 wrote to memory of 808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\qekjvo.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 808 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\qekjvo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\rzaylm.exe
PID 1808 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\rzaylm.exe
PID 1808 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\rzaylm.exe
PID 1808 wrote to memory of 1684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\rzaylm.exe
PID 1684 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1684 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rzaylm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe

"C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qekjvo.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qekjvo.exe"'

C:\Users\Admin\AppData\Local\Temp\qekjvo.exe

"C:\Users\Admin\AppData\Local\Temp\qekjvo.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rzaylm.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rzaylm.exe"'

C:\Users\Admin\AppData\Local\Temp\rzaylm.exe

"C:\Users\Admin\AppData\Local\Temp\rzaylm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tjmotg.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tjmotg.exe"'

C:\Users\Admin\AppData\Local\Temp\tjmotg.exe

"C:\Users\Admin\AppData\Local\Temp\tjmotg.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe"'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe

"C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 update-checker-status.cc udp
NL 84.32.190.34:80 update-checker-status.cc tcp
NL 193.142.146.212:8808 tcp
NL 193.142.146.212:8808 tcp
NL 193.142.146.212:8808 tcp
NL 193.142.146.212:8808 tcp
NL 193.142.146.212:8808 tcp

Files

memory/1484-54-0x0000000000D20000-0x0000000000EFA000-memory.dmp

memory/1484-55-0x0000000004300000-0x00000000043D2000-memory.dmp

memory/1484-57-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-56-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-59-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-61-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-63-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-65-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-67-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-69-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-71-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-73-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-75-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-77-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-79-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-81-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-83-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-85-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-87-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-89-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-91-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-93-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-95-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-97-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-99-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-101-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-103-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-105-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-107-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-109-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-111-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-113-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-115-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-117-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-119-0x0000000004300000-0x00000000043CB000-memory.dmp

memory/1484-2400-0x00000000043D0000-0x0000000004462000-memory.dmp

memory/1484-2401-0x0000000004E70000-0x0000000004EB0000-memory.dmp

memory/1076-2413-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1076-2414-0x0000000004E00000-0x0000000004E40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAE8A.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

memory/1076-2431-0x0000000000810000-0x000000000081C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarB438.tmp

MD5 73b4b714b42fc9a6aaefd0ae59adb009
SHA1 efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256 c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA512 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

memory/1732-2453-0x0000000001D90000-0x0000000001DD0000-memory.dmp

memory/1732-2454-0x0000000001D90000-0x0000000001DD0000-memory.dmp

memory/1732-2455-0x0000000001D90000-0x0000000001DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qekjvo.exe

MD5 494969d84ee004227da4051403cbc098
SHA1 befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256 c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512 ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

\Users\Admin\AppData\Local\Temp\qekjvo.exe

MD5 494969d84ee004227da4051403cbc098
SHA1 befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256 c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512 ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

C:\Users\Admin\AppData\Local\Temp\qekjvo.exe

MD5 494969d84ee004227da4051403cbc098
SHA1 befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256 c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512 ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

memory/808-2459-0x000000013FB30000-0x000000013FC02000-memory.dmp

memory/808-2460-0x000000001ACC0000-0x000000001AD84000-memory.dmp

memory/808-2461-0x000000001B2C0000-0x000000001B340000-memory.dmp

memory/1076-2463-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/1088-2474-0x0000000140000000-0x00000001400D9000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 899bb4e811f6db63886060304509fb54
SHA1 86f72a84a4421ec4d48733385c644d61ab0dbecd
SHA256 dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b
SHA512 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SEYUE17MLALUHN0ZH03H.temp

MD5 899bb4e811f6db63886060304509fb54
SHA1 86f72a84a4421ec4d48733385c644d61ab0dbecd
SHA256 dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b
SHA512 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44

C:\Users\Admin\AppData\Local\Temp\rzaylm.exe

MD5 7bf2898f75b3974d2c53999f8d3f40fb
SHA1 c406aeef85ed1ce026b98b858af4be62da421119
SHA256 c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA512 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

\Users\Admin\AppData\Local\Temp\rzaylm.exe

MD5 7bf2898f75b3974d2c53999f8d3f40fb
SHA1 c406aeef85ed1ce026b98b858af4be62da421119
SHA256 c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA512 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

C:\Users\Admin\AppData\Local\Temp\rzaylm.exe

MD5 7bf2898f75b3974d2c53999f8d3f40fb
SHA1 c406aeef85ed1ce026b98b858af4be62da421119
SHA256 c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA512 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

memory/1808-2505-0x00000000023D0000-0x0000000002410000-memory.dmp

memory/1684-2506-0x0000000004830000-0x00000000048DA000-memory.dmp

memory/1808-2504-0x00000000023D0000-0x0000000002410000-memory.dmp

memory/1684-2503-0x0000000000990000-0x0000000000AE0000-memory.dmp

memory/1684-2507-0x00000000002F0000-0x0000000000302000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 899bb4e811f6db63886060304509fb54
SHA1 86f72a84a4421ec4d48733385c644d61ab0dbecd
SHA256 dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b
SHA512 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1684-2518-0x0000000004960000-0x00000000049A0000-memory.dmp

memory/1012-2520-0x00000000027B0000-0x00000000027F0000-memory.dmp

memory/1012-2522-0x00000000027B0000-0x00000000027F0000-memory.dmp

memory/1012-2524-0x00000000027B0000-0x00000000027F0000-memory.dmp

memory/2012-2529-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2012-2530-0x0000000004F20000-0x0000000004F60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 899bb4e811f6db63886060304509fb54
SHA1 86f72a84a4421ec4d48733385c644d61ab0dbecd
SHA256 dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b
SHA512 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44

C:\Users\Admin\AppData\Local\Temp\tjmotg.exe

MD5 a08e5952ddaaabe4b7deaf30e3e522d3
SHA1 d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA256 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA512 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

\Users\Admin\AppData\Local\Temp\tjmotg.exe

MD5 a08e5952ddaaabe4b7deaf30e3e522d3
SHA1 d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA256 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA512 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

C:\Users\Admin\AppData\Local\Temp\tjmotg.exe

MD5 a08e5952ddaaabe4b7deaf30e3e522d3
SHA1 d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA256 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA512 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

memory/964-2558-0x0000000001390000-0x00000000015E6000-memory.dmp

memory/964-2559-0x0000000000C10000-0x0000000000CB8000-memory.dmp

memory/964-2560-0x0000000000570000-0x00000000005B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 899bb4e811f6db63886060304509fb54
SHA1 86f72a84a4421ec4d48733385c644d61ab0dbecd
SHA256 dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b
SHA512 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2012-2567-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/1196-2569-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/1196-2568-0x00000000026A0000-0x00000000026E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 899bb4e811f6db63886060304509fb54
SHA1 86f72a84a4421ec4d48733385c644d61ab0dbecd
SHA256 dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b
SHA512 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44

C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe

MD5 a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1 a5de59863fb4acc05a9253562172f802420ed21b
SHA256 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

\Users\Admin\AppData\Local\Temp\tjlmuu.exe

MD5 a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1 a5de59863fb4acc05a9253562172f802420ed21b
SHA256 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

memory/1680-2602-0x0000000002840000-0x0000000002880000-memory.dmp

memory/1752-2603-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe

MD5 a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1 a5de59863fb4acc05a9253562172f802420ed21b
SHA256 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

memory/1020-2605-0x0000000000CC0000-0x000000000129A000-memory.dmp

memory/1020-2606-0x000000001CAD0000-0x000000001D1D8000-memory.dmp

memory/1020-2607-0x000000001C470000-0x000000001C4F0000-memory.dmp

memory/1752-2674-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1020-2946-0x000000001C470000-0x000000001C4F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-27 06:43

Reported

2023-02-27 06:46

Platform

win10v2004-20230220-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe"

Signatures

AsyncRat

rat asyncrat

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Vipertex\\Saten.exe\"," C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Meow\\Meow.exe\"," C:\Users\Admin\AppData\Local\Temp\rtimlm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\bvhjvkvjer\\vvhkvkjre.exe\"," C:\Users\Admin\AppData\Local\Temp\ezciiu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Colors\\Pink.exe\"," C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A

SmokeLoader

trojan backdoor smokeloader

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ezciiu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4400 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 648 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 648 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 3572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\rtimlm.exe
PID 4580 wrote to memory of 3572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\rtimlm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3572 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rtimlm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 3336 wrote to memory of 1944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 1944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 1944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1944 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1944 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3744 wrote to memory of 2948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\ezciiu.exe
PID 3744 wrote to memory of 2948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\ezciiu.exe
PID 3744 wrote to memory of 2948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\ezciiu.exe
PID 2948 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2948 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ezciiu.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3336 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3880 wrote to memory of 3612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe
PID 3880 wrote to memory of 3612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe
PID 3880 wrote to memory of 3612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe
PID 3612 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe

"C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rtimlm.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rtimlm.exe"'

C:\Users\Admin\AppData\Local\Temp\rtimlm.exe

"C:\Users\Admin\AppData\Local\Temp\rtimlm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ezciiu.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ezciiu.exe"'

C:\Users\Admin\AppData\Local\Temp\ezciiu.exe

"C:\Users\Admin\AppData\Local\Temp\ezciiu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe"'

C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe

"C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fkytby.exe"' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fkytby.exe"'

C:\Users\Admin\AppData\Local\Temp\fkytby.exe

"C:\Users\Admin\AppData\Local\Temp\fkytby.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 update-checker-status.cc udp
NL 84.32.190.34:80 update-checker-status.cc tcp
NL 193.142.146.212:8808 tcp
US 8.8.8.8:53 34.190.32.84.in-addr.arpa udp
US 8.8.8.8:53 212.146.142.193.in-addr.arpa udp
NL 193.142.146.212:8808 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 20.189.173.5:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
NL 193.142.146.212:8808 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 193.142.146.212:8808 tcp
NL 8.238.177.126:80 tcp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
NL 193.142.146.212:8808 tcp
US 8.8.8.8:53 glueberry-og.cc udp
DE 193.142.147.59:80 glueberry-og.cc tcp
US 8.8.8.8:53 glueberry-og.co udp
DE 193.142.147.59:80 glueberry-og.co tcp

Files

memory/4400-133-0x0000000000490000-0x000000000066A000-memory.dmp

memory/4400-134-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-135-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-137-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-139-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-141-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-143-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-145-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-147-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-149-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-151-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-153-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-155-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-157-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-159-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-161-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-163-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-165-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-167-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-169-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-171-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-173-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-175-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-177-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-179-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-181-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-183-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-185-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-187-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-189-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-191-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-193-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-195-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-197-0x0000000004FD0000-0x000000000509B000-memory.dmp

memory/4400-2478-0x0000000005110000-0x0000000005120000-memory.dmp

memory/4400-2479-0x0000000005250000-0x0000000005272000-memory.dmp

memory/4400-2480-0x0000000005330000-0x0000000005396000-memory.dmp

memory/4400-2481-0x0000000031950000-0x00000000319E2000-memory.dmp

memory/4400-2482-0x0000000031FA0000-0x0000000032544000-memory.dmp

memory/3336-2486-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3336-2487-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/3336-2488-0x0000000005990000-0x0000000005A2C000-memory.dmp

memory/3336-2489-0x0000000006B90000-0x0000000006C06000-memory.dmp

memory/3336-2490-0x0000000006B40000-0x0000000006B5E000-memory.dmp

memory/4580-2492-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

memory/4580-2493-0x0000000005720000-0x0000000005D48000-memory.dmp

memory/4580-2494-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/4580-2495-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/4580-2501-0x0000000005D50000-0x0000000005DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1teaz35.rwq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4580-2506-0x0000000006400000-0x000000000641E000-memory.dmp

memory/4580-2507-0x00000000075C0000-0x0000000007656000-memory.dmp

memory/4580-2509-0x0000000006940000-0x0000000006962000-memory.dmp

memory/4580-2508-0x00000000068F0000-0x000000000690A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rtimlm.exe

MD5 494969d84ee004227da4051403cbc098
SHA1 befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256 c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512 ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

memory/4580-2511-0x0000000002D80000-0x0000000002D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rtimlm.exe

MD5 494969d84ee004227da4051403cbc098
SHA1 befd216439b68c83899476ea7bf5c7eff025bdc6
SHA256 c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48
SHA512 ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

memory/3572-2515-0x0000000000510000-0x00000000005E2000-memory.dmp

memory/3572-2516-0x00000000027F0000-0x0000000002812000-memory.dmp

memory/3336-2517-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/3572-2518-0x000000001C9E0000-0x000000001C9F0000-memory.dmp

memory/2472-2524-0x0000000140000000-0x00000001400D9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5315900105942deb090a358a315b06fe
SHA1 22fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256 e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA512 77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

memory/3744-2527-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

memory/3744-2528-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b65221b1b05b3d92a6d4bedba9014eb0
SHA1 34203816996d5e47c16893720d98de88e6df2802
SHA256 e95abbdf7deacde619683f68c9010500d6e47f9de79ff7f98e4ae1e1bbbb36a5
SHA512 1d6e4a99d65a37a56f50b8926a6fb04afdef362ddee3606680e52429b961db70a0c5cc1bece080f241ccd776c6ea751a6be6c2cf2dabc449924e1f9836bef820

C:\Users\Admin\AppData\Local\Temp\ezciiu.exe

MD5 7bf2898f75b3974d2c53999f8d3f40fb
SHA1 c406aeef85ed1ce026b98b858af4be62da421119
SHA256 c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA512 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

C:\Users\Admin\AppData\Local\Temp\ezciiu.exe

MD5 7bf2898f75b3974d2c53999f8d3f40fb
SHA1 c406aeef85ed1ce026b98b858af4be62da421119
SHA256 c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208
SHA512 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676

memory/2948-2541-0x0000000000970000-0x0000000000AC0000-memory.dmp

memory/2948-2543-0x00000000054D0000-0x00000000054E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c3804deb057a26588c01312d798f46c
SHA1 c1bce310e3fcb8942bdea4538a051160ce5c7bd0
SHA256 ce672f64c78d0bd00b42f11aea454eecc925ec9397f109d08909089eeda68719
SHA512 1a1b3f18ed9ec3923c42b669cb08134855995244a57ab1c4df1734543bcbaf2785ab1d3acfb5eb3cc16c1d9c873198b4e074d004de5577c247016185cd5fc505

memory/4676-2557-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4676-2559-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/4764-2560-0x0000000002D90000-0x0000000002DA0000-memory.dmp

memory/4676-2558-0x00000000052A0000-0x00000000052AA000-memory.dmp

memory/4764-2561-0x0000000002D90000-0x0000000002DA0000-memory.dmp

memory/4764-2562-0x0000000007560000-0x0000000007592000-memory.dmp

memory/4764-2563-0x000000006F1B0000-0x000000006F1FC000-memory.dmp

memory/4764-2573-0x0000000007520000-0x000000000753E000-memory.dmp

memory/4764-2574-0x0000000002D90000-0x0000000002DA0000-memory.dmp

memory/4764-2575-0x000000007FCC0000-0x000000007FCD0000-memory.dmp

memory/4764-2576-0x0000000007D80000-0x00000000083FA000-memory.dmp

memory/4764-2577-0x0000000007730000-0x000000000773A000-memory.dmp

memory/4764-2578-0x00000000078F0000-0x00000000078FE000-memory.dmp

memory/4764-2579-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/4764-2580-0x00000000079E0000-0x00000000079E8000-memory.dmp

memory/4676-2582-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/3880-2593-0x0000000004980000-0x0000000004990000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a8f20e557c24c99a1a67ebd0fa15de2
SHA1 89be00be2a5971c9b5a2ac689a9c1e3bce57be49
SHA256 79cae3451465615e6488677cefd9f814acdf00df32a33df3760acaf5352f5c60
SHA512 3254664c4195e9ca21e634ca75645207c88b9ad0672b54bdeb1eb1c13b3b09c9c3c37a6830f2ad8d6048b7dee96e04e6597e22b93ac76213a8c94029e26071c5

memory/3880-2595-0x0000000004980000-0x0000000004990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe

MD5 a08e5952ddaaabe4b7deaf30e3e522d3
SHA1 d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA256 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA512 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe

MD5 a08e5952ddaaabe4b7deaf30e3e522d3
SHA1 d111978b9e2ea04f53ce48a36a4fde0e0e900ba3
SHA256 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f
SHA512 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

memory/3612-2599-0x0000000000060000-0x00000000002B6000-memory.dmp

memory/3612-2600-0x0000000004B80000-0x0000000004B90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b687ef43eeeef6b2c7593b4ee9c04934
SHA1 f3df62b9c57b8d7025cdf0557a5b09e9e8257fc4
SHA256 e6201c20476964e81a9283981aca9322199bcabaeecb683b3184d93ef6ec4cde
SHA512 d7fc2466760a8f73e718c52fcc5a6be060c69aabb8e12e43761bb3a309a5b2ed419f56d0a70871d04f2b868fdc3d653fbae81b742b78cede1714e0567a90d9c4

memory/4252-2611-0x0000000004870000-0x0000000004880000-memory.dmp

memory/4252-2612-0x0000000004870000-0x0000000004880000-memory.dmp

memory/4252-2613-0x0000000004870000-0x0000000004880000-memory.dmp

memory/3612-2614-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/4252-2615-0x0000000004870000-0x0000000004880000-memory.dmp

memory/4252-2616-0x0000000004870000-0x0000000004880000-memory.dmp

memory/4252-2618-0x000000006ED20000-0x000000006ED6C000-memory.dmp

memory/4252-2633-0x0000000004870000-0x0000000004880000-memory.dmp

memory/4252-2638-0x000000007F010000-0x000000007F020000-memory.dmp

memory/4540-2639-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/4540-2640-0x00000000027E0000-0x00000000027F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fkytby.exe

MD5 a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1 a5de59863fb4acc05a9253562172f802420ed21b
SHA256 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b22d1c5159fa97764f06b9bf25710c3c
SHA1 78df3f3d3edbec3c1126ecf65c3f0db9403065f3
SHA256 a116123461640b3e53e88727026e835e15d3a9def2a95f2ecde06ef0d4e69d89
SHA512 785c5ac714fd7aeed8fc60f0d82331e3b5c9b3515092e61fef4aedf51a505431e3d72e06b6ac2d2e2ab35b45d9d30bdbf4ab6f947cc17ac29f6f1a88477b5f0d

C:\Users\Admin\AppData\Local\Temp\fkytby.exe

MD5 a4f3e603a335cbd6d8f9ff11c8f9a9c2
SHA1 a5de59863fb4acc05a9253562172f802420ed21b
SHA256 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e
SHA512 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2

memory/4176-2646-0x00000000002E0000-0x00000000008BA000-memory.dmp

memory/4176-2647-0x000000001DB20000-0x000000001DB30000-memory.dmp

memory/4500-2657-0x0000000000400000-0x0000000000409000-memory.dmp