Malware Analysis Report

2024-09-22 07:09

Sample ID 240601-x8mdtscf3t
Target 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d

Threat Level: Known bad

The file 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 19:31

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 19:31

Reported

2024-06-01 19:34

Platform

win7-20240221-en

Max time kernel

145s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2116 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2116 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2116 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2116 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2116 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2116 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 2116 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe

"C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp226F.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\notepad.exe

"C:\Users\Admin\AppData\Roaming\notepad.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 drasticqq.zapto.org udp
NL 91.92.243.101:1081 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
NL 91.92.243.101:1081 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
US 8.8.8.8:53 drasticqq.zapto.org udp
NL 91.92.243.101:1081 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
NL 91.92.243.101:1081 drasticqq.zapto.org tcp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
NL 91.92.243.101:1081 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/1724-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

memory/1724-1-0x0000000001250000-0x0000000001262000-memory.dmp

memory/1724-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp226F.tmp.bat

MD5 d348de96e40dcdd2d9c0ddb74f9c85ef
SHA1 8af55ff5f9ef874ec6a38f7881ea571ddc702485
SHA256 b07674cbd53ad70441b3ad60e08f4fbcd44cb0f2835ae9bfa3c5674d55cebb56
SHA512 ca0c18258f4c0b0e5422d51124ab2331282c7ba4d90e1835007012d16ecf8cef5ce2d80d9366a5a534aa37c75a50eda2c89910c11dc9671e31b5572cf2a199d6

memory/1724-12-0x00000000744F0000-0x0000000074BDE000-memory.dmp

\Users\Admin\AppData\Roaming\notepad.exe

MD5 b099f31ff999b0aac37e9de2e3160ce6
SHA1 03e35f01dbb3286c943e69771cd630757cd16bdf
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
SHA512 833b9200854811d35a243938dd9f47bb53be3559716438afd91fb8eabf282c6a23d49b4a4e3391e9bccd339048a65d75ec18ba4e8b922caf46d70d83b8a98079

memory/2684-16-0x00000000008B0000-0x00000000008C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 19:31

Reported

2024-06-01 19:34

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3540 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3540 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1248 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1248 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1248 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3540 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 3540 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe
PID 3540 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe

"C:\Users\Admin\AppData\Local\Temp\0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6F0.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "notepad" /tr '"C:\Users\Admin\AppData\Roaming\notepad.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8

C:\Users\Admin\AppData\Roaming\notepad.exe

"C:\Users\Admin\AppData\Roaming\notepad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 drasticqq.zapto.org udp
NL 91.92.243.101:1081 drasticqq.zapto.org tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 91.92.243.101:1081 drasticqq.zapto.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 drasticqq.zapto.org udp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
NL 91.92.243.101:1081 drasticqq.zapto.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 drasticqq.zapto.org udp
NL 91.92.243.101:8808 drasticqq.zapto.org tcp

Files

memory/816-0-0x000000007523E000-0x000000007523F000-memory.dmp

memory/816-1-0x0000000000E70000-0x0000000000E82000-memory.dmp

memory/816-2-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/816-3-0x00000000058A0000-0x000000000593C000-memory.dmp

memory/816-8-0x0000000075230000-0x00000000759E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6F0.tmp.bat

MD5 744497cdae5c8bc3d1ba04f3df730ae9
SHA1 e1c28c12a1c8fd0c604aacd2b49de441c4cd1885
SHA256 09b580185f26ab453c8705ba1354bf7f919664bee0342fca5954ed9806d10b30
SHA512 c3f9e674249899b74ed843391d6dea899573aed532222a7d9b1d6b14a67e02168ce83743bf929c60b6a0f422b01026db0c8d593b2c2e676c6df25f0faa611f08

C:\Users\Admin\AppData\Roaming\notepad.exe

MD5 b099f31ff999b0aac37e9de2e3160ce6
SHA1 03e35f01dbb3286c943e69771cd630757cd16bdf
SHA256 0fa269be03146fff09c0ed89d794dc3c141f9e60a5c1e83c432a022294e2a19d
SHA512 833b9200854811d35a243938dd9f47bb53be3559716438afd91fb8eabf282c6a23d49b4a4e3391e9bccd339048a65d75ec18ba4e8b922caf46d70d83b8a98079

memory/3036-13-0x0000000075180000-0x0000000075930000-memory.dmp

memory/3036-14-0x0000000075180000-0x0000000075930000-memory.dmp