Malware Analysis Report

2025-06-16 02:15

Sample ID 240125-r75wwsadgl
Target invoice-INVR-2024012000.exe
SHA256 923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45

Threat Level: Known bad

The file invoice-INVR-2024012000.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 14:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 14:51

Reported

2024-01-25 14:53

Platform

win7-20231215-en

Max time kernel

119s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1696 set thread context of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1748 set thread context of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1696 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1696 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1696 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 560 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2512 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2512 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2512 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2272 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2272 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2272 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2272 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 2272 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 2272 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 2272 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1748 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC0CF.tmp"

C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD0C7.tmp.bat""

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"' & exit

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp147A.tmp"

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

Network

Country Destination Domain Proto
HK 203.20.113.158:8808 tcp

Files

memory/1696-0-0x00000000012D0000-0x0000000001342000-memory.dmp

memory/1696-1-0x0000000074170000-0x000000007485E000-memory.dmp

memory/1696-2-0x0000000001130000-0x0000000001170000-memory.dmp

memory/1696-3-0x0000000000910000-0x0000000000928000-memory.dmp

memory/1696-4-0x0000000000940000-0x0000000000948000-memory.dmp

memory/1696-5-0x0000000000950000-0x000000000095C000-memory.dmp

memory/1696-6-0x00000000010E0000-0x000000000112C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC0CF.tmp

MD5 0ee4bfb4600152f5d9306e023ab8fdde
SHA1 f38323cf349580e6733500e3cd43c0eff4c5eb2a
SHA256 a6d95ba3771817cf85d9db9bc99a07a297d5e26dce5f713b5f601b8c27d60bba
SHA512 38790713425f6334286ed68d02359986a2c56c174d8db9c62b27d924a09db307e05be71dfdcba65b2fe5705ba32cd570ed125d0d9b01c958252641f9c700b347

memory/560-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/560-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/560-18-0x0000000000400000-0x0000000000412000-memory.dmp

memory/560-20-0x0000000000400000-0x0000000000412000-memory.dmp

memory/560-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/560-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/560-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1696-28-0x0000000074170000-0x000000007485E000-memory.dmp

memory/560-29-0x0000000000400000-0x0000000000412000-memory.dmp

memory/600-30-0x000000006E540000-0x000000006EAEB000-memory.dmp

memory/600-32-0x0000000002BF0000-0x0000000002C30000-memory.dmp

memory/600-31-0x000000006E540000-0x000000006EAEB000-memory.dmp

memory/600-34-0x0000000002BF0000-0x0000000002C30000-memory.dmp

memory/560-33-0x0000000074170000-0x000000007485E000-memory.dmp

memory/600-35-0x000000006E540000-0x000000006EAEB000-memory.dmp

memory/560-36-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/560-46-0x0000000074170000-0x000000007485E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD0C7.tmp.bat

MD5 1a761df95b36e064c4c01b082cdb48e1
SHA1 eea1c5317cc635331e2141e58ef5cc0ac1bb77f8
SHA256 e78943139b1c71b41ee3a264c43b7c747f834e61b33da21593a3a96052b7fd2c
SHA512 14365d5e432ffe3ac731ff6ec156068a541497735f0bf344c54f877f3ea3144d59e5f463a77f3b7cf0aea55f230a970460f9ae339e7439801597e309f3afa800

C:\Users\Admin\AppData\Roaming\microsotf.exe

MD5 1ae050798555154c3c057598b0ccb3bf
SHA1 d570386aa83a9264794b5f562bdd92ad40a845c9
SHA256 923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
SHA512 50d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd

memory/1748-51-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/1748-52-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/1748-50-0x0000000000280000-0x00000000002F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 31c64c57e8d6702edde993ea0f3a5c85
SHA1 9d7e39461acfa009b7a93e47f8fd035ca0941bc3
SHA256 2ae9fa487f3566553673a1ce24a03dbaa6fbeb1a3d532b3ec4b379ca6ca60328
SHA512 9c863244807c08c07bc37794d19649cb51d6035d29aca7c8ddd2988c9b1ab4b66f700d399f9789708b2ed8b43ccec2b02bde391f0a3ec1ec1cb1bba2762f8817

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZYAE4QG0R93SNYSWXHA.temp

MD5 f9834a578094745d84117a702502d5d8
SHA1 b1e6a112077a2a3e53a10da625104d04065b2a41
SHA256 97c1410511227626914b086377dfc74db167a351dd2cf75713ae329ef14b98c4
SHA512 d6b468cc15ae3a9706eaf05ff03cd43defd89a0931e0a3af98224e65b55bae6f7824f4013bcae4d0c64057951ea10740ec96aafa30199becd7796e7b3ad3e14a

memory/2152-65-0x000000006EDB0000-0x000000006F35B000-memory.dmp

memory/2152-67-0x0000000002B60000-0x0000000002BA0000-memory.dmp

memory/2152-69-0x000000006EDB0000-0x000000006F35B000-memory.dmp

memory/2152-71-0x0000000002B60000-0x0000000002BA0000-memory.dmp

memory/2152-72-0x0000000002B60000-0x0000000002BA0000-memory.dmp

memory/2584-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1748-77-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/2584-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-81-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/2152-82-0x000000006EDB0000-0x000000006F35B000-memory.dmp

memory/2584-83-0x0000000004E70000-0x0000000004EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2889.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2584-100-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/2584-101-0x0000000004E70000-0x0000000004EB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 14:51

Reported

2024-01-25 14:53

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1524 set thread context of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1700 set thread context of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1524 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1524 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1524 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1524 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1524 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1524 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1524 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 528 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1368 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1368 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 312 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 312 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 312 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 312 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 312 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 312 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1700 wrote to memory of 708 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 708 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 708 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1700 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1700 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1700 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1700 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1700 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1700 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1700 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1700 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADF3.tmp"

C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp.bat""

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"' & exit

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EA.tmp"

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
HK 203.20.113.158:7707 tcp
US 8.8.8.8:53 158.113.20.203.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/1524-0-0x0000000000800000-0x0000000000872000-memory.dmp

memory/1524-1-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/1524-2-0x0000000005860000-0x0000000005E04000-memory.dmp

memory/1524-3-0x00000000052B0000-0x0000000005342000-memory.dmp

memory/1524-4-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/1524-5-0x0000000005250000-0x000000000525A000-memory.dmp

memory/1524-6-0x0000000005840000-0x0000000005858000-memory.dmp

memory/1524-7-0x0000000007580000-0x0000000007588000-memory.dmp

memory/1524-8-0x00000000075B0000-0x00000000075BC000-memory.dmp

memory/1524-9-0x00000000077C0000-0x000000000780C000-memory.dmp

memory/1524-10-0x0000000009FE0000-0x000000000A07C000-memory.dmp

memory/1956-16-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/1956-17-0x00000000023E0000-0x00000000023F0000-memory.dmp

memory/1956-15-0x0000000002470000-0x00000000024A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpADF3.tmp

MD5 8617e8cb59c0ae115057557b72a499cd
SHA1 e712f3034b25c1ff6a7ff4e855791227b114836a
SHA256 d6ffb678f979e911abcd4492f054f41af805abb2f3017df2300d0921f9e6f48a
SHA512 e53f141c66b6c4ca1605f59093e3d34d21bd13b2c5eaaeb9514cbfb35905a8ec2932ea7a6cae94e4060b5da60f3f058a560f6fb658594bcb906512daaca67570

memory/1524-19-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/1956-20-0x0000000004FE0000-0x0000000005608000-memory.dmp

memory/528-21-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice-INVR-2024012000.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1524-25-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/528-24-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/1956-26-0x0000000004E70000-0x0000000004E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ujsffpk.fa4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1956-28-0x00000000056F0000-0x0000000005756000-memory.dmp

memory/1956-27-0x0000000005680000-0x00000000056E6000-memory.dmp

memory/1956-38-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/1956-39-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

memory/1956-40-0x00000000060B0000-0x00000000060FC000-memory.dmp

memory/1956-41-0x00000000023E0000-0x00000000023F0000-memory.dmp

memory/1956-42-0x000000007F6B0000-0x000000007F6C0000-memory.dmp

memory/1956-54-0x0000000006370000-0x000000000638E000-memory.dmp

memory/1956-55-0x0000000006F90000-0x0000000007033000-memory.dmp

memory/1956-44-0x0000000071BF0000-0x0000000071C3C000-memory.dmp

memory/1956-43-0x0000000006390000-0x00000000063C2000-memory.dmp

memory/1956-57-0x00000000070D0000-0x00000000070EA000-memory.dmp

memory/1956-56-0x0000000007710000-0x0000000007D8A000-memory.dmp

memory/528-58-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/1956-59-0x0000000007140000-0x000000000714A000-memory.dmp

memory/1956-60-0x0000000007350000-0x00000000073E6000-memory.dmp

memory/1956-61-0x00000000072D0000-0x00000000072E1000-memory.dmp

memory/1956-62-0x0000000007300000-0x000000000730E000-memory.dmp

memory/1956-63-0x0000000007310000-0x0000000007324000-memory.dmp

memory/1956-64-0x0000000007410000-0x000000000742A000-memory.dmp

memory/1956-65-0x00000000073F0000-0x00000000073F8000-memory.dmp

memory/528-72-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/1956-71-0x0000000075330000-0x0000000075AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp.bat

MD5 77d817e681eb2d7c2149f321c872f5d7
SHA1 91cd5355e16ba3f89a57730cb19c1a405b2b2070
SHA256 71f2990827ffe257fc3f24b863d93ac3fd5fa79003073a9f7213b2ca8dd5d454
SHA512 04b21d984baa9726d00263507286eaf5370ce82d237072c78f138d60520d95bebeca1b961d767003a3f54fb08053a13df1b8d8875406bbe4546b17ad61fd7e21

C:\Users\Admin\AppData\Roaming\microsotf.exe

MD5 10b1595ec906e23650edd19cad7d7e2f
SHA1 f529fb6fc8faa86d5f8056f1f061b0b2157cd7ba
SHA256 be6959d1c3aaceac0cef6fd025fcbaf4e0eae1186032a230d0d56e6f7c53f805
SHA512 64c29fac7fd6d70cd39b7b876f37d0a773b67cc0b38814dce108001ab96325cf08cd3782296150d3832d0b8f1e51442f6fb84770a973ae348bd1f1a85931f464

C:\Users\Admin\AppData\Roaming\microsotf.exe

MD5 c5c0201fff9f1e5ff412e94bfc52663a
SHA1 268dd02109971903cd0f7cc8d9e95f8cb2628ee0
SHA256 126935d5511c09259a12b8a79b771da5ca53e8d3fbbd5cd5e74919689644471a
SHA512 233bae1bb91358f2d28af182a1b2dd0fe8bb1b5ac1570f58185dddf56f5c1f5fa796d504e30443db7488699ec287a78973a7f59a0ed6736b7107a6701aa9ade7

memory/1700-77-0x0000000075320000-0x0000000075AD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\microsotf.exe

MD5 ec5d1c15200aacaaba32d179f4bc3f54
SHA1 1832e60a4c1fbe745eca0c6a88d3abbe6207c9d5
SHA256 43e86b88e28fd0de3babc34b019c64ade6ac3ea6ae5d93d47177aa0016896137
SHA512 6d5e16f8d648844b7e7071204d447a3a1498d81b889af08d0f34fddfc10c0282af844ed5b05cd9c5c3f4517fd1af8c643551f272eb97473b45b8ed241f655ff9

memory/1700-78-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/708-81-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/708-83-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/708-84-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/1700-85-0x0000000075320000-0x0000000075AD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\microsotf.exe

MD5 1ae050798555154c3c057598b0ccb3bf
SHA1 d570386aa83a9264794b5f562bdd92ad40a845c9
SHA256 923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
SHA512 50d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd

memory/708-88-0x0000000005B60000-0x0000000005EB4000-memory.dmp

memory/3276-90-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/1700-100-0x0000000075320000-0x0000000075AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 105dfa28d0ddd1a1805e6896c8920034
SHA1 9fe9d273add147e154e9b02303db545c72df8f4a
SHA256 70423328450efa9ab5db14995a2648e815c526118fdf7313d537dfc3138d5287
SHA512 21c7edaf1b56a38b9c2a1ba0bee7e8065ea12479bdb85ee86c05e641923f89a445b89790d2db9bd2a9da799b3bcb7de4df32fb6fc6e011aa48bd1c0091e75943

memory/708-102-0x00000000064D0000-0x000000000651C000-memory.dmp

memory/708-103-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/708-104-0x000000007F730000-0x000000007F740000-memory.dmp

memory/708-105-0x0000000075C20000-0x0000000075C6C000-memory.dmp

memory/708-115-0x00000000073D0000-0x0000000007473000-memory.dmp

memory/708-116-0x0000000007710000-0x0000000007721000-memory.dmp

memory/708-117-0x0000000007760000-0x0000000007774000-memory.dmp

memory/708-119-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/3276-120-0x0000000005110000-0x0000000005120000-memory.dmp

memory/3276-123-0x0000000075320000-0x0000000075AD0000-memory.dmp