Malware Analysis Report

2025-03-15 03:51

Sample ID 230904-2zxknabg6v
Target 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
Tags
fatalrat evasion infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1

Threat Level: Known bad

The file 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1 was found to be: Known bad.

Malicious Activity Summary

fatalrat evasion infostealer rat

FatalRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Fatal Rat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-04 23:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-04 23:01

Reported

2023-09-04 23:04

Platform

win7-20230831-en

Max time kernel

144s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Wine C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
PID 932 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

"C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

"C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

Network

Country Destination Domain Proto
US 193.218.201.159:8082 193.218.201.159 tcp
US 193.218.201.159:8082 193.218.201.159 tcp
US 154.64.6.11:8048 tcp

Files

memory/1596-0-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1596-1-0x00000000771F0000-0x00000000771F2000-memory.dmp

memory/1596-2-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1596-4-0x0000000004110000-0x0000000004112000-memory.dmp

memory/1596-3-0x0000000004130000-0x0000000004131000-memory.dmp

memory/1596-5-0x0000000004140000-0x0000000004141000-memory.dmp

memory/1596-6-0x00000000040D0000-0x00000000040D1000-memory.dmp

memory/1596-7-0x0000000004100000-0x0000000004101000-memory.dmp

memory/1596-8-0x0000000004150000-0x0000000004151000-memory.dmp

memory/1596-9-0x00000000040E0000-0x00000000040E1000-memory.dmp

memory/1596-10-0x0000000004160000-0x0000000004161000-memory.dmp

memory/1596-13-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2676-14-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/2676-17-0x0000000002440000-0x0000000002480000-memory.dmp

memory/1596-16-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2676-15-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/2676-18-0x0000000002440000-0x0000000002480000-memory.dmp

memory/2676-19-0x0000000002440000-0x0000000002480000-memory.dmp

memory/1596-20-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2676-21-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/2676-22-0x0000000002440000-0x0000000002480000-memory.dmp

memory/2676-23-0x0000000002440000-0x0000000002480000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1b4ee89979da762a7f42a3a258d3235a
SHA1 6e2a8939403646e4896c6d0995b7208325230e5b
SHA256 53c25b59c3d47a631ace32aa8be4be321c9a9099971244fb3b5657faff28e53c
SHA512 6c00cf56a86c31d9683f95b1d28da2d336a12e9758dcaffa38a82f3b530488d245a2d6503e2757cf98226798dafb40e5cb6d595dfdcdb8ce1401874d0edfb5ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SROF4OFQQ6OFVV9VXETC.temp

MD5 1b4ee89979da762a7f42a3a258d3235a
SHA1 6e2a8939403646e4896c6d0995b7208325230e5b
SHA256 53c25b59c3d47a631ace32aa8be4be321c9a9099971244fb3b5657faff28e53c
SHA512 6c00cf56a86c31d9683f95b1d28da2d336a12e9758dcaffa38a82f3b530488d245a2d6503e2757cf98226798dafb40e5cb6d595dfdcdb8ce1401874d0edfb5ff

memory/2500-29-0x0000000072B40000-0x00000000730EB000-memory.dmp

memory/2500-30-0x0000000072B40000-0x00000000730EB000-memory.dmp

memory/2500-31-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/2500-33-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/2500-32-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/1596-34-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2500-35-0x0000000072B40000-0x00000000730EB000-memory.dmp

memory/2500-36-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/2500-37-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/2500-38-0x0000000002260000-0x00000000022A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1b4ee89979da762a7f42a3a258d3235a
SHA1 6e2a8939403646e4896c6d0995b7208325230e5b
SHA256 53c25b59c3d47a631ace32aa8be4be321c9a9099971244fb3b5657faff28e53c
SHA512 6c00cf56a86c31d9683f95b1d28da2d336a12e9758dcaffa38a82f3b530488d245a2d6503e2757cf98226798dafb40e5cb6d595dfdcdb8ce1401874d0edfb5ff

memory/268-45-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/268-46-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/268-47-0x0000000002810000-0x0000000002850000-memory.dmp

memory/268-49-0x0000000002810000-0x0000000002850000-memory.dmp

memory/268-48-0x0000000002810000-0x0000000002850000-memory.dmp

memory/1596-50-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/268-51-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/268-52-0x0000000002810000-0x0000000002850000-memory.dmp

memory/268-53-0x0000000002810000-0x0000000002850000-memory.dmp

memory/268-54-0x0000000002810000-0x0000000002850000-memory.dmp

memory/1596-55-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1b4ee89979da762a7f42a3a258d3235a
SHA1 6e2a8939403646e4896c6d0995b7208325230e5b
SHA256 53c25b59c3d47a631ace32aa8be4be321c9a9099971244fb3b5657faff28e53c
SHA512 6c00cf56a86c31d9683f95b1d28da2d336a12e9758dcaffa38a82f3b530488d245a2d6503e2757cf98226798dafb40e5cb6d595dfdcdb8ce1401874d0edfb5ff

memory/1816-61-0x0000000073C10000-0x00000000741BB000-memory.dmp

memory/1816-62-0x0000000002700000-0x0000000002740000-memory.dmp

memory/1816-63-0x0000000002700000-0x0000000002740000-memory.dmp

memory/1816-64-0x0000000002700000-0x0000000002740000-memory.dmp

memory/1816-65-0x0000000073C10000-0x00000000741BB000-memory.dmp

memory/1816-66-0x0000000073C10000-0x00000000741BB000-memory.dmp

memory/1596-67-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1816-68-0x0000000002700000-0x0000000002740000-memory.dmp

memory/1816-69-0x0000000002700000-0x0000000002740000-memory.dmp

memory/1816-70-0x0000000002700000-0x0000000002740000-memory.dmp

memory/1596-74-0x00000000047E0000-0x00000000048E0000-memory.dmp

memory/1596-73-0x00000000047E0000-0x00000000048E0000-memory.dmp

memory/1596-75-0x0000000010000000-0x0000000010036000-memory.dmp

C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

memory/1596-88-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1596-87-0x00000000055D0000-0x00000000057CF000-memory.dmp

\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

memory/1596-89-0x00000000047E0000-0x00000000048E0000-memory.dmp

memory/932-90-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/932-91-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/932-92-0x0000000004130000-0x0000000004131000-memory.dmp

memory/932-93-0x0000000004140000-0x0000000004141000-memory.dmp

memory/932-94-0x00000000040D0000-0x00000000040D1000-memory.dmp

memory/932-95-0x0000000004100000-0x0000000004101000-memory.dmp

memory/932-97-0x0000000004160000-0x0000000004161000-memory.dmp

memory/932-96-0x0000000004110000-0x0000000004112000-memory.dmp

memory/932-98-0x00000000040E0000-0x00000000040E1000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 029dd733080b6b0624281b76a15b8468
SHA1 96e29a2fc02e27a5005ff61be54247829b6be099
SHA256 abcdcda56576360c1fe2e7cd3599c8e2105a22d21734289965f62a76aaad6e29
SHA512 38cdd2ffefb20713b8c94fba80e79d123e401ac621edae09391a7a4bc0c08749407999e1c0c9b78288131d95c0c8b292fe3bef5969c637939daff94886d4e1c0

memory/2108-105-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/2108-106-0x0000000002620000-0x0000000002660000-memory.dmp

memory/2108-107-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/932-113-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 029dd733080b6b0624281b76a15b8468
SHA1 96e29a2fc02e27a5005ff61be54247829b6be099
SHA256 abcdcda56576360c1fe2e7cd3599c8e2105a22d21734289965f62a76aaad6e29
SHA512 38cdd2ffefb20713b8c94fba80e79d123e401ac621edae09391a7a4bc0c08749407999e1c0c9b78288131d95c0c8b292fe3bef5969c637939daff94886d4e1c0

memory/932-127-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Users\Default\Desktop\athletes.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 029dd733080b6b0624281b76a15b8468
SHA1 96e29a2fc02e27a5005ff61be54247829b6be099
SHA256 abcdcda56576360c1fe2e7cd3599c8e2105a22d21734289965f62a76aaad6e29
SHA512 38cdd2ffefb20713b8c94fba80e79d123e401ac621edae09391a7a4bc0c08749407999e1c0c9b78288131d95c0c8b292fe3bef5969c637939daff94886d4e1c0

memory/932-143-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/932-145-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 029dd733080b6b0624281b76a15b8468
SHA1 96e29a2fc02e27a5005ff61be54247829b6be099
SHA256 abcdcda56576360c1fe2e7cd3599c8e2105a22d21734289965f62a76aaad6e29
SHA512 38cdd2ffefb20713b8c94fba80e79d123e401ac621edae09391a7a4bc0c08749407999e1c0c9b78288131d95c0c8b292fe3bef5969c637939daff94886d4e1c0

memory/932-155-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/932-161-0x0000000010000000-0x0000000010036000-memory.dmp

memory/932-166-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/932-169-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/932-170-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/932-171-0x0000000000400000-0x00000000005FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-04 23:01

Reported

2023-09-04 23:04

Platform

win10v2004-20230831-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Wine C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
PID 2080 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
PID 2080 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe
PID 3904 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

"C:\Users\Admin\AppData\Local\Temp\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

"C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 193.218.201.159:8082 193.218.201.159 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 159.201.218.193.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 193.218.201.159:8082 193.218.201.159 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 154.64.6.11:8048 tcp
US 8.8.8.8:53 11.6.64.154.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

memory/2080-0-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2080-1-0x0000000077B24000-0x0000000077B26000-memory.dmp

memory/2080-2-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2080-3-0x00000000046D0000-0x00000000046D1000-memory.dmp

memory/2080-5-0x00000000046B0000-0x00000000046B1000-memory.dmp

memory/2080-4-0x00000000046C0000-0x00000000046C1000-memory.dmp

memory/2080-6-0x00000000046A0000-0x00000000046A1000-memory.dmp

memory/2080-7-0x00000000046E0000-0x00000000046E1000-memory.dmp

memory/368-9-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/368-8-0x0000000002360000-0x0000000002396000-memory.dmp

memory/368-10-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/368-12-0x0000000004DD0000-0x00000000053F8000-memory.dmp

memory/368-11-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/368-13-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

memory/368-14-0x0000000004D50000-0x0000000004DB6000-memory.dmp

memory/368-15-0x0000000005570000-0x00000000055D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vb3bn5k.qxg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/368-25-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/368-26-0x0000000006200000-0x0000000006244000-memory.dmp

memory/2080-27-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/368-28-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/368-29-0x0000000006FB0000-0x0000000007026000-memory.dmp

memory/368-30-0x00000000076B0000-0x0000000007D2A000-memory.dmp

memory/368-31-0x0000000007050000-0x000000000706A000-memory.dmp

memory/2080-32-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/368-33-0x0000000007200000-0x0000000007296000-memory.dmp

memory/368-34-0x00000000071A0000-0x00000000071C2000-memory.dmp

memory/368-35-0x00000000082E0000-0x0000000008884000-memory.dmp

memory/2080-36-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/368-37-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/368-38-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/368-39-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/368-40-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2136-41-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2136-42-0x0000000002D00000-0x0000000002D10000-memory.dmp

memory/2136-43-0x0000000002D00000-0x0000000002D10000-memory.dmp

memory/2136-53-0x0000000002D00000-0x0000000002D10000-memory.dmp

memory/2080-54-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2136-56-0x0000000002D00000-0x0000000002D10000-memory.dmp

memory/2136-57-0x0000000002D00000-0x0000000002D10000-memory.dmp

memory/2136-55-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2192-59-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2192-60-0x0000000004760000-0x0000000004770000-memory.dmp

memory/2192-61-0x0000000004760000-0x0000000004770000-memory.dmp

memory/2080-71-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2192-72-0x0000000004760000-0x0000000004770000-memory.dmp

memory/2192-73-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2192-74-0x0000000004760000-0x0000000004770000-memory.dmp

memory/2192-75-0x0000000004760000-0x0000000004770000-memory.dmp

memory/2080-76-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2192-77-0x0000000004760000-0x0000000004770000-memory.dmp

memory/2192-78-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/964-79-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/964-80-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/964-81-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/964-91-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/964-92-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/2080-93-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/964-94-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/964-95-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/2080-98-0x0000000004D20000-0x0000000004E20000-memory.dmp

memory/2080-99-0x0000000004D20000-0x0000000004E20000-memory.dmp

memory/2080-100-0x0000000010000000-0x0000000010036000-memory.dmp

C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

memory/2080-117-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Users\Admin\AppData\Local\110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

memory/3904-118-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/3904-120-0x00000000046B0000-0x00000000046B1000-memory.dmp

memory/3904-119-0x00000000046C0000-0x00000000046C1000-memory.dmp

memory/3904-121-0x00000000046A0000-0x00000000046A1000-memory.dmp

memory/3904-122-0x00000000046E0000-0x00000000046E1000-memory.dmp

memory/3904-123-0x00000000046D0000-0x00000000046D1000-memory.dmp

memory/4380-124-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4380-125-0x0000000004D00000-0x0000000004D10000-memory.dmp

memory/3904-139-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/3904-155-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Users\Default\Desktop\athletes.exe

MD5 bec9b4e7943863ac7cd194c47ff11157
SHA1 6ca1a0f4ba363e20994a01b5db1cd4d4a76bba99
SHA256 110da8673eb291da57172ccac873ff42efb62e2f423104dc45571ff30691fcc1
SHA512 e057e1e3289e3d6effbfb2b51efa22401d51ce3506e8eaa2abb26d130297bffe3229dc34dfbe22269585f0245a6f85ab021b171206e7afac97cde49f004a0f8f

memory/3904-175-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/3904-181-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/3904-195-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/3904-207-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/3904-210-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/3904-211-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/3904-212-0x0000000000400000-0x00000000005FF000-memory.dmp