Malware Analysis Report

2025-06-16 02:14

Sample ID 240125-r8zq9sadgq
Target invoice-INVR-2024012000.exe
SHA256 923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45

Threat Level: Known bad

The file invoice-INVR-2024012000.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 14:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 14:52

Reported

2024-01-25 14:55

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4436 set thread context of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 4356 set thread context of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4436 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 4436 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 4436 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 4436 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 4436 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 4436 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 4436 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 4436 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 3500 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 3500 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3568 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3568 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3568 wrote to memory of 3548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3568 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 3568 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 3568 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 4356 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4356 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 4356 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 4356 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 4356 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 4356 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 4356 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 4356 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 4356 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8453.tmp"

C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp93E3.tmp.bat""

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp"

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
HK 203.20.113.158:7707 tcp
US 8.8.8.8:53 158.113.20.203.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4436-0-0x0000000000E10000-0x0000000000E82000-memory.dmp

memory/4436-1-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4436-2-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/4436-3-0x0000000005920000-0x00000000059B2000-memory.dmp

memory/4436-4-0x0000000005B50000-0x0000000005B60000-memory.dmp

memory/4436-5-0x0000000003500000-0x000000000350A000-memory.dmp

memory/4436-6-0x00000000035B0000-0x00000000035C8000-memory.dmp

memory/4436-7-0x0000000005B70000-0x0000000005B78000-memory.dmp

memory/4436-8-0x0000000005BA0000-0x0000000005BAC000-memory.dmp

memory/4436-9-0x0000000007DE0000-0x0000000007E2C000-memory.dmp

memory/4436-10-0x000000000A590000-0x000000000A62C000-memory.dmp

memory/948-15-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

memory/948-16-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/948-17-0x0000000002C40000-0x0000000002C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8453.tmp

MD5 dfc637ba13d0455db4203f555d307918
SHA1 e220bbe82521fba12a4020a405df2bd895cc31ef
SHA256 82031e208a1e9dbac2754b565eb1f1417594e7c52131463e1744320ee591481c
SHA512 d996f101ea2516c7c1bd6fd39bb685cdbc137ca5d4e7ae3fecd6c3a098a3ffb9ebeeb56105332f668f53dc034f05a634413cac10469003f7f3292434ad723cde

memory/948-18-0x0000000002C40000-0x0000000002C50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice-INVR-2024012000.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/4436-24-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3500-21-0x0000000000400000-0x0000000000412000-memory.dmp

memory/948-20-0x0000000005600000-0x0000000005C28000-memory.dmp

memory/3500-26-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/948-25-0x0000000005510000-0x0000000005532000-memory.dmp

memory/948-27-0x0000000005E10000-0x0000000005E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gi02sxzc.o0j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/948-29-0x0000000005E80000-0x0000000005EE6000-memory.dmp

memory/948-38-0x0000000005FF0000-0x0000000006344000-memory.dmp

memory/948-39-0x00000000064C0000-0x00000000064DE000-memory.dmp

memory/948-40-0x0000000006500000-0x000000000654C000-memory.dmp

memory/948-43-0x0000000070E40000-0x0000000070E8C000-memory.dmp

memory/948-42-0x0000000006A90000-0x0000000006AC2000-memory.dmp

memory/948-54-0x0000000002C40000-0x0000000002C50000-memory.dmp

memory/948-53-0x00000000076A0000-0x00000000076BE000-memory.dmp

memory/948-56-0x00000000076C0000-0x0000000007763000-memory.dmp

memory/948-55-0x0000000002C40000-0x0000000002C50000-memory.dmp

memory/948-41-0x000000007FA60000-0x000000007FA70000-memory.dmp

memory/948-58-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/948-57-0x0000000007E30000-0x00000000084AA000-memory.dmp

memory/948-59-0x0000000007860000-0x000000000786A000-memory.dmp

memory/948-60-0x0000000007A70000-0x0000000007B06000-memory.dmp

memory/948-61-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/948-62-0x0000000007A20000-0x0000000007A2E000-memory.dmp

memory/948-64-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/948-65-0x0000000007B10000-0x0000000007B18000-memory.dmp

memory/948-63-0x0000000007A30000-0x0000000007A44000-memory.dmp

memory/948-68-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3500-69-0x0000000005180000-0x0000000005190000-memory.dmp

memory/3500-73-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp93E3.tmp.bat

MD5 53d2ddb3c230a473e76ac6ad2717e15b
SHA1 643bc4acf43744438bc889935d98cef4d58dbe79
SHA256 e529028725cbaeb574e1e89e93f043f572afd4611885994dc445d9dbbc43c465
SHA512 7b42bf10d30ee7c8ebb72516d7091b28da5a266b127c2e7e90090abc01b6eeb56c49490bf1dc7c205698b65255d218c748f8abad21f97d71cda034ef72729c59

C:\Users\Admin\AppData\Roaming\microsotf.exe

MD5 33ddcd65b290809414bec9e792887c85
SHA1 0b1bbf97f4c08d5bf6d31cf7000a557e7ff49310
SHA256 90b165cf1b787cb4c1bd79ea4d85663dc80b33355463d45c9d211ba9951ac1f9
SHA512 951180eee07478c57251bdc3af3de931ecc2e14815d665c98a8e6e520aca48156124e3c86b2e1c8362e31bfd04ac606bcc29356bb97cf72ba759bd2b13ab7cae

C:\Users\Admin\AppData\Roaming\microsotf.exe

MD5 1ae050798555154c3c057598b0ccb3bf
SHA1 d570386aa83a9264794b5f562bdd92ad40a845c9
SHA256 923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
SHA512 50d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd

memory/4356-78-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4356-79-0x00000000027F0000-0x0000000002800000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3456-83-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3456-85-0x0000000001480000-0x0000000001490000-memory.dmp

C:\Users\Admin\AppData\Roaming\microsotf.exe

MD5 29651ff5cfd6e1b36dbb53b9a754fb03
SHA1 c5b1fa4b9dac302304ae50936bbfa8ff6350f6e5
SHA256 bfa3c820f8075c3424e100abd38047ac7269559a37830675176c2b93a17f40c4
SHA512 1170906030aea24aa03506b29725ce5049a26f0e074928f8b0035814e6c45a4ce2672ad388c0d0f5fb35849dd01549f18b43891330e815bb215803d6e0e72d1a

memory/3456-87-0x0000000001480000-0x0000000001490000-memory.dmp

memory/4992-89-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4356-90-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3456-100-0x00000000060F0000-0x0000000006444000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d86ca6a6596435e126a7bb908248682f
SHA1 dcf052cf2918e0c47d0ec05e75319cb77ab82681
SHA256 43f50ddad44bfa778c9900ab7db6c97ecfe195d7d13a31955e3f730112889206
SHA512 db385bc4a476f7ee3761661f34eed1d07785863f8f1c508c26c7613bb66f5fb4b4d86c43e5d32f952051394eaf49b15812272b161e45e1121915eabc532a9830

memory/3456-102-0x0000000006C50000-0x0000000006C9C000-memory.dmp

memory/3456-103-0x000000007FA80000-0x000000007FA90000-memory.dmp

memory/3456-104-0x0000000074E70000-0x0000000074EBC000-memory.dmp

memory/3456-116-0x0000000001480000-0x0000000001490000-memory.dmp

memory/3456-115-0x0000000001480000-0x0000000001490000-memory.dmp

memory/3456-114-0x0000000007960000-0x0000000007A03000-memory.dmp

memory/3456-117-0x0000000007C20000-0x0000000007C31000-memory.dmp

memory/3456-118-0x0000000007C50000-0x0000000007C64000-memory.dmp

memory/3456-120-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4992-121-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/4992-124-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/4992-125-0x00000000051D0000-0x00000000051E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 14:52

Reported

2024-01-25 14:55

Platform

win7-20231215-en

Max time kernel

117s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1760 set thread context of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\microsotf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 1740 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe
PID 2700 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2352 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1712 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1712 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1712 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe
PID 1760 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\microsotf.exe C:\Users\Admin\AppData\Roaming\microsotf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D61.tmp"

C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe

"C:\Users\Admin\AppData\Local\Temp\invoice-INVR-2024012000.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA12F.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "microsotf" /tr '"C:\Users\Admin\AppData\Roaming\microsotf.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cDTmbkDzaNG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cDTmbkDzaNG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE485.tmp"

C:\Users\Admin\AppData\Roaming\microsotf.exe

"C:\Users\Admin\AppData\Roaming\microsotf.exe"

Network

Country Destination Domain Proto
HK 203.20.113.158:6606 tcp

Files

memory/1740-0-0x0000000000180000-0x00000000001F2000-memory.dmp

memory/1740-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1740-2-0x00000000007F0000-0x0000000000830000-memory.dmp

memory/1740-3-0x0000000000430000-0x0000000000448000-memory.dmp

memory/1740-4-0x0000000000470000-0x0000000000478000-memory.dmp

memory/1740-5-0x0000000000480000-0x000000000048C000-memory.dmp

memory/1740-6-0x0000000002150000-0x000000000219C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D61.tmp

MD5 004b45ca8dd8e6df86f86cfca513bd4a
SHA1 a318146459027397fe0fc51251f03d6a2f35c7a9
SHA256 dceb73d7849fa32c35fcf395a1c5711cac76abdcacf52683c5eb918f08e1dfdc
SHA512 4d37ba0d925b097a95825077d042eb909a6e7ce882224831926968335180174e739f3dc876a85c796fe2f4f47a598526c9b893a316150cb79f90ac7339dbb0a5

memory/2700-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-15-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2700-20-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-22-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1740-25-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2700-26-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2020-29-0x0000000072470000-0x0000000072A1B000-memory.dmp

memory/2020-30-0x0000000072470000-0x0000000072A1B000-memory.dmp

memory/2020-31-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/2020-32-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/2020-33-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/2020-34-0x0000000072470000-0x0000000072A1B000-memory.dmp

memory/2700-35-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA12F.tmp.bat

MD5 3c9d65e5dc199618d0b2372a0e178505
SHA1 a1ac060b92989a2aec1045ee80538d5f6cc05ab4
SHA256 8a1b2bab7baa563ffca78e40891923765ef9cc4f9faa295b13c771b09660917b
SHA512 1a31925f069dcca2667849411af447687a6531871b11d0e901a03c5708887de3aafe29ebb295277dea45060e4b6636e87c4e4c232481be52c77560ec7acde817

memory/2700-44-0x00000000747B0000-0x0000000074E9E000-memory.dmp

\Users\Admin\AppData\Roaming\microsotf.exe

MD5 1ae050798555154c3c057598b0ccb3bf
SHA1 d570386aa83a9264794b5f562bdd92ad40a845c9
SHA256 923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
SHA512 50d970b0a7612a19a0dce40be5595a707912b65ca767e88661fcf693287cdf1e75c2ca00c81fa1c7ec46ea775b12b2126300c4a5ad62212447f32d9bd48c9fcd

memory/1760-50-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/1760-49-0x00000000002D0000-0x0000000000342000-memory.dmp

memory/1760-51-0x0000000004D90000-0x0000000004DD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d6d2b26b785bdab047befea2c1cd725e
SHA1 be7a132f3e04f24b57fc51666c3b3b88b2a37f90
SHA256 64adcdc6f0813fb5635ddea369c3fede6e3d7606d8d4da326b38499fbf42c88d
SHA512 f0468f81adf9e6bb4f64c15c14d3191f5b2bfefe7467e30c1dba8ee0028b022d11942dd59ac862a0a9efe4876c553defbf8e3bb0fade68c5786fa6e8e611d3d6

memory/2184-65-0x000000006F650000-0x000000006FBFB000-memory.dmp

memory/2184-67-0x0000000002400000-0x0000000002440000-memory.dmp

memory/2184-69-0x000000006F650000-0x000000006FBFB000-memory.dmp

memory/1760-74-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2184-71-0x0000000002400000-0x0000000002440000-memory.dmp

memory/1404-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1404-75-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1404-77-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1404-78-0x00000000736C0000-0x0000000073DAE000-memory.dmp

memory/2184-79-0x000000006F650000-0x000000006FBFB000-memory.dmp

memory/1404-80-0x0000000004860000-0x00000000048A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFC7A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1404-97-0x00000000736C0000-0x0000000073DAE000-memory.dmp

memory/1404-98-0x0000000004860000-0x00000000048A0000-memory.dmp