Malware Analysis Report

2025-04-13 12:35

Sample ID 240803-dyz3ds1hjn
Target b7f0467ea05cdb14eea0f67fd09e8bc6.bin
SHA256 e8594a68a1b573d8cec8418bb410be8d8e3d3cec1017130640dd5aab770059ad
Tags
asyncrat default discovery execution rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8594a68a1b573d8cec8418bb410be8d8e3d3cec1017130640dd5aab770059ad

Threat Level: Known bad

The file b7f0467ea05cdb14eea0f67fd09e8bc6.bin was found to be: Known bad.

Malicious Activity Summary

asyncrat default discovery execution rat upx

AsyncRat

Async RAT payload

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 03:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 03:25

Reported

2024-08-03 03:28

Platform

win7-20240704-en

Max time kernel

33s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SET-UP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2276 set thread context of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SET-UP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2276 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2928 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SET-UP.EXE
PID 2928 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SET-UP.EXE
PID 2928 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SET-UP.EXE
PID 2928 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SET-UP.EXE
PID 2928 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
PID 2928 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
PID 2928 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
PID 2928 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe

"C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\SET-UP.EXE

"C:\Users\Admin\AppData\Roaming\SET-UP.EXE"

C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE

"C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 parsher.ddnsfree.com udp
TR 5.252.74.251:8808 parsher.ddnsfree.com tcp

Files

memory/2276-0-0x0000000073EDE000-0x0000000073EDF000-memory.dmp

memory/2276-1-0x0000000000A40000-0x0000000000A5A000-memory.dmp

memory/2276-2-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2276-3-0x0000000073EDE000-0x0000000073EDF000-memory.dmp

memory/2276-4-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2276-5-0x0000000000450000-0x0000000000468000-memory.dmp

memory/2928-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2928-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2928-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2928-18-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2928-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2928-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2928-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2928-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2928-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2276-22-0x0000000073ED0000-0x00000000745BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\SET-UP.EXE

MD5 098062dde5741b0b42e73060a1b95db0
SHA1 803e9fd3f740cfebb06333a7e056e6b6dbdc10d1
SHA256 63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611
SHA512 69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a

C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE

MD5 09bc60ead95b7741e734741f8fb8a11a
SHA1 92a543c0091d6284022faa50314bb0bac7b58489
SHA256 a069e19a43489131c37a99f2c8eae8c53397b5e6a8e4f8b80fbec5c93556c419
SHA512 625a3ea7b9cd4b95ee6325bcaefb94f7af8c7f1af2c1a2e41f782c6e35a41aea4ee50a09b5a6a7d8b47e3c6ad2a37d90f60a7ec4ac75e331e61f5fe829b7d991

memory/2928-34-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2640-36-0x00000000003A0000-0x00000000003B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6106.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 03:25

Reported

2024-08-03 03:28

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SET-UP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5116 set thread context of 5068 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SET-UP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5068 wrote to memory of 548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SET-UP.EXE
PID 5068 wrote to memory of 548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SET-UP.EXE
PID 5068 wrote to memory of 548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SET-UP.EXE
PID 5068 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
PID 5068 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE
PID 5068 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe

"C:\Users\Admin\AppData\Local\Temp\111aa30a320d763f875d21e66345c86e8580ccbe0d50e99733991caff1d2201b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\SET-UP.EXE

"C:\Users\Admin\AppData\Roaming\SET-UP.EXE"

C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE

"C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 parsher.ddnsfree.com udp
TR 5.252.74.251:8808 parsher.ddnsfree.com tcp
US 8.8.8.8:53 251.74.252.5.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/5116-0-0x000000007471E000-0x000000007471F000-memory.dmp

memory/5116-1-0x0000000000D70000-0x0000000000D8A000-memory.dmp

memory/5116-2-0x0000000005DE0000-0x0000000006384000-memory.dmp

memory/5116-3-0x0000000005760000-0x00000000057F2000-memory.dmp

memory/5116-4-0x0000000005940000-0x000000000594A000-memory.dmp

memory/5116-5-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/5116-6-0x00000000059D0000-0x0000000005A46000-memory.dmp

memory/5116-7-0x000000007471E000-0x000000007471F000-memory.dmp

memory/5116-8-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/5116-9-0x0000000005A50000-0x0000000005A68000-memory.dmp

memory/5116-10-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

memory/5068-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5068-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5068-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1496-20-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/5116-19-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/1496-18-0x0000000002840000-0x0000000002876000-memory.dmp

memory/1496-22-0x00000000053A0000-0x00000000059C8000-memory.dmp

memory/1496-21-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/1496-24-0x0000000005160000-0x0000000005182000-memory.dmp

memory/5068-27-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l13ylhot.mgl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1496-26-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/1496-34-0x0000000005B20000-0x0000000005E74000-memory.dmp

memory/1496-25-0x00000000059D0000-0x0000000005A36000-memory.dmp

C:\Users\Admin\AppData\Roaming\SET-UP.EXE

MD5 098062dde5741b0b42e73060a1b95db0
SHA1 803e9fd3f740cfebb06333a7e056e6b6dbdc10d1
SHA256 63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611
SHA512 69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a

memory/1496-23-0x0000000074710000-0x0000000074EC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SETUGP.EXE.EXE

MD5 09bc60ead95b7741e734741f8fb8a11a
SHA1 92a543c0091d6284022faa50314bb0bac7b58489
SHA256 a069e19a43489131c37a99f2c8eae8c53397b5e6a8e4f8b80fbec5c93556c419
SHA512 625a3ea7b9cd4b95ee6325bcaefb94f7af8c7f1af2c1a2e41f782c6e35a41aea4ee50a09b5a6a7d8b47e3c6ad2a37d90f60a7ec4ac75e331e61f5fe829b7d991

memory/1496-58-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/5068-59-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1496-57-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/2156-56-0x0000000000F20000-0x0000000000F32000-memory.dmp

memory/1496-62-0x00000000066F0000-0x0000000006712000-memory.dmp

memory/1496-61-0x00000000066A0000-0x00000000066BA000-memory.dmp

memory/1496-60-0x0000000006720000-0x00000000067B6000-memory.dmp

memory/1496-64-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2156-65-0x0000000005B40000-0x0000000005BDC000-memory.dmp