asyncrat | 40fe14bb211ec9fecbe5a3a8750bf1a8fd9104264f3f76178ac4b3778e656506

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe
Size

12.7MB
MD5

2c5d99dfc22e3c7c13abd40ef29082a6
SHA1

2eae7f57966c4409cfecda611ddb41e3d1da8147
SHA256

521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec
SHA512

21af954bb927cd6548f20333b582c130fa3e4f6a253318b3aec66fe8628dbe50a7ecdc729935f5a215a3ac2027429d87a58fea9a0f2b93e5c477cc5a3fd037fc
SSDEEP

196608:fmQDIJzN0rl/RNfrOzDzRgIurg8dCMZqWlggN2:eQO0rl/RRSgIurgjyGgN2

Score

10^/10

asyncrat neshta discovery execution persistence rat spyware

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Neshta payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b03-8.dat	family_neshta
behavioral2/memory/5064-54-0x0000000000560000-0x000000000109E000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Windows Security Services Help.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Windows Security Services Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Windows Security Services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Windows Security Services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe

Executes dropped EXE 9 IoCs

pid	Process
5064	DangerousRAT.exe
5108	Windows Security Services.exe
116	Windows Security Services Help.exe
3172	Windows Security Services Update.exe
1512	Windows Security Services.exe
4360	Windows Security Services.exe
4312	Windows Security Services.exe
412	Windows Security Services.exe
1056	Windows Security Services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rtlieujwqeasnagwindows update = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rtlieujwqeasnagwindows update.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rtlieujwqeasnagwindows update = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Rtlieujwqeasnagwindows update.vbs\""	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3852	powershell.exe
3244	powershell.exe
2028	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 116 set thread context of 4360	116	Windows Security Services Help.exe	112
PID 3172 set thread context of 412	3172	Windows Security Services Update.exe	120
PID 5108 set thread context of 1056	5108	Windows Security Services.exe	125

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2304	5064	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services Help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DangerousRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Windows Security Services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Windows Security Services Help.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Windows Security Services Update.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4360	Windows Security Services.exe
412	Windows Security Services.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4476	powershell.exe
752	powershell.exe
1904	powershell.exe
4476	powershell.exe
1904	powershell.exe
752	powershell.exe
1468	powershell.exe
3976	powershell.exe
1468	powershell.exe
4504	powershell.exe
3976	powershell.exe
4504	powershell.exe
116	Windows Security Services Help.exe
116	Windows Security Services Help.exe
116	Windows Security Services Help.exe
116	Windows Security Services Help.exe
116	Windows Security Services Help.exe
116	Windows Security Services Help.exe
3172	Windows Security Services Update.exe
3172	Windows Security Services Update.exe
3172	Windows Security Services Update.exe
3172	Windows Security Services Update.exe
3172	Windows Security Services Update.exe
3172	Windows Security Services Update.exe
3852	powershell.exe
5108	Windows Security Services.exe
5108	Windows Security Services.exe
3244	powershell.exe
3852	powershell.exe
2028	powershell.exe
3244	powershell.exe
2028	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	DangerousRAT.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	116	Windows Security Services Help.exe
Token: SeDebugPrivilege	3172	Windows Security Services Update.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	5108	Windows Security Services.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4360	Windows Security Services.exe
412	Windows Security Services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 5064	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	82
PID 688 wrote to memory of 5064	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	82
PID 688 wrote to memory of 5064	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	82
PID 688 wrote to memory of 5108	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	83
PID 688 wrote to memory of 5108	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	83
PID 688 wrote to memory of 5108	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	83
PID 688 wrote to memory of 116	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	84
PID 688 wrote to memory of 116	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	84
PID 688 wrote to memory of 116	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	84
PID 688 wrote to memory of 3172	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	85
PID 688 wrote to memory of 3172	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	85
PID 688 wrote to memory of 3172	688	521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe	85
PID 116 wrote to memory of 4476	116	Windows Security Services Help.exe	88
PID 116 wrote to memory of 4476	116	Windows Security Services Help.exe	88
PID 116 wrote to memory of 4476	116	Windows Security Services Help.exe	88
PID 3172 wrote to memory of 1904	3172	Windows Security Services Update.exe	89
PID 3172 wrote to memory of 1904	3172	Windows Security Services Update.exe	89
PID 3172 wrote to memory of 1904	3172	Windows Security Services Update.exe	89
PID 5108 wrote to memory of 752	5108	Windows Security Services.exe	90
PID 5108 wrote to memory of 752	5108	Windows Security Services.exe	90
PID 5108 wrote to memory of 752	5108	Windows Security Services.exe	90
PID 116 wrote to memory of 1468	116	Windows Security Services Help.exe	95
PID 116 wrote to memory of 1468	116	Windows Security Services Help.exe	95
PID 116 wrote to memory of 1468	116	Windows Security Services Help.exe	95
PID 3172 wrote to memory of 3976	3172	Windows Security Services Update.exe	97
PID 3172 wrote to memory of 3976	3172	Windows Security Services Update.exe	97
PID 3172 wrote to memory of 3976	3172	Windows Security Services Update.exe	97
PID 5108 wrote to memory of 4504	5108	Windows Security Services.exe	99
PID 5108 wrote to memory of 4504	5108	Windows Security Services.exe	99
PID 5108 wrote to memory of 4504	5108	Windows Security Services.exe	99
PID 116 wrote to memory of 4500	116	Windows Security Services Help.exe	110
PID 116 wrote to memory of 4500	116	Windows Security Services Help.exe	110
PID 116 wrote to memory of 4500	116	Windows Security Services Help.exe	110
PID 116 wrote to memory of 1512	116	Windows Security Services Help.exe	111
PID 116 wrote to memory of 1512	116	Windows Security Services Help.exe	111
PID 116 wrote to memory of 1512	116	Windows Security Services Help.exe	111
PID 116 wrote to memory of 4360	116	Windows Security Services Help.exe	112
PID 116 wrote to memory of 4360	116	Windows Security Services Help.exe	112
PID 116 wrote to memory of 4360	116	Windows Security Services Help.exe	112
PID 116 wrote to memory of 4360	116	Windows Security Services Help.exe	112
PID 116 wrote to memory of 4360	116	Windows Security Services Help.exe	112
PID 116 wrote to memory of 4360	116	Windows Security Services Help.exe	112
PID 116 wrote to memory of 4360	116	Windows Security Services Help.exe	112
PID 116 wrote to memory of 4360	116	Windows Security Services Help.exe	112
PID 4500 wrote to memory of 3852	4500	WScript.exe	113
PID 4500 wrote to memory of 3852	4500	WScript.exe	113
PID 4500 wrote to memory of 3852	4500	WScript.exe	113
PID 3172 wrote to memory of 1452	3172	Windows Security Services Update.exe	115
PID 3172 wrote to memory of 1452	3172	Windows Security Services Update.exe	115
PID 3172 wrote to memory of 1452	3172	Windows Security Services Update.exe	115
PID 3172 wrote to memory of 3224	3172	Windows Security Services Update.exe	116
PID 3172 wrote to memory of 3224	3172	Windows Security Services Update.exe	116
PID 3172 wrote to memory of 3224	3172	Windows Security Services Update.exe	116
PID 4360 wrote to memory of 1448	4360	Windows Security Services.exe	117
PID 4360 wrote to memory of 1448	4360	Windows Security Services.exe	117
PID 4360 wrote to memory of 1448	4360	Windows Security Services.exe	117
PID 3172 wrote to memory of 4312	3172	Windows Security Services Update.exe	119
PID 3172 wrote to memory of 4312	3172	Windows Security Services Update.exe	119
PID 3172 wrote to memory of 4312	3172	Windows Security Services Update.exe	119
PID 3172 wrote to memory of 412	3172	Windows Security Services Update.exe	120
PID 3172 wrote to memory of 412	3172	Windows Security Services Update.exe	120
PID 3172 wrote to memory of 412	3172	Windows Security Services Update.exe	120
PID 3172 wrote to memory of 412	3172	Windows Security Services Update.exe	120
PID 3172 wrote to memory of 412	3172	Windows Security Services Update.exe	120

C:\Users\Admin\AppData\Local\Temp\521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe
"C:\Users\Admin\AppData\Local\Temp\521e56bdd27018ee0f40341bf556f7748f2eebb32a4bd016789a6b7801d010ec.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\DangerousRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\DangerousRAT.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 852
    3⤵
    - Program crash
    PID:2304
- C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Czvmmniarhsx.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:1796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2028
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1056
- C:\Users\Admin\AppData\Local\Temp\Windows Security Services Help.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Services Help.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Fiswjsizjcjynjqomep.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3852
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Services" Help.exe
    3⤵
    - Executes dropped EXE
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Services" Help.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SysWOW64\help.exe
      "C:\Windows\System32\help.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1448
- C:\Users\Admin\AppData\Local\Temp\Windows Security Services Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security Services Update.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Pblsxziib.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:1452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3244
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pblsxziib.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3224
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rtlieujwqeasnagwindows update.vbs"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2224
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Services" Update.exe
    3⤵
    - Executes dropped EXE
    PID:4312
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Services" Update.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
64fa029a15b3e0988bf8bead8cb27a76

SHA1
c1ea09260999653eb817293930c7febd6e6aaaf3

SHA256
3e24bc8589f604dfc98c6faab73972be2eb304f6765860b9f63574f2517d2a40

SHA512
d47d87b3604286067b7b11e26742b7ef9d278abef40649d5da5a40b0101d141f812392425df180b4cea33c9ed35ef2d3e310eabea0fd40239c5aef0846383bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
8KB

MD5
5d1c0fca9610653ce069badfed54d8a1

SHA1
d927a9a37b0675745b6c426c2561fa57ab727a52

SHA256
290c6e71ea1571f81331802a65075a16ca79c35eb69461f42b481d958140340e

SHA512
29ab594f024cc72163f1756ccb668787528f71b4346b66bf149cc878dea14d4d97290108c3cca69c1649568a5a0fb568e93fb9157a80f5898c3f83adbabfb26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
764B

MD5
9584d5fce49dd5e7035fc40b2a1b5b8e

SHA1
3bae4293291ba59b5afb2508b2744fee45989f33

SHA256
959d037c95e8f83bed888f2cafb2144c35917c3bb76dc053cd3d070b0442c805

SHA512
381d95d64fce2242dc2b2a6276c114067e038a1b10c27895b57ab518b0385a83d41344f61e8cb8ad9b747902b6c2c32445f74bc30a7368e6cdcf5c8eb309b533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
f65da5c2c8ab7de188191f623c199690

SHA1
75720401b093f9eca9fbeafce5c34e96265b09de

SHA256
64a10ac95b9a69cb0f9920e672db031b8b7f13db72dcc4234c2e4c44d6a0f8db

SHA512
8fa4a4f2ed9bfc1e4cc102a1da7d9b7967bbd4c0a191adaa73aaa9171e0f19d624905db05f1e290babdee81c2392d512943be16e30ba8b10e4608820d07dc52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c0248a7982826aeb6713d3e43f7d5776

SHA1
2a438ea1e21112ca407632bcfb46074ab6c44fe1

SHA256
5ee285f91ff54e0006313cd633d7d53e6ae35873bb2c63c1c5ce5bcab6543eff

SHA512
a3552dcd56b0eeabc93f5b76f04a6a597a79e0b24beac892039f5da8007935f1710187cf0ed31984874d2fe416794982ce2f7a2f148ddd4618b8cc015465a4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f0b834c6501c511beca6d606b1ec730f

SHA1
3d505c05fbadd0d79d678930fb44d0bd77decef7

SHA256
5af0654b84ee98a4ea088812ce15be804f249e14a2016d5a977fb659e3a1aba1

SHA512
f6edd6ce0ae216123cc775c432549063b293e803c95ab5cf9f4db6542a394ebe94ee17cacf7933005362c69813ad484a063fe6e717a2fba0b44be0baf3a6ec2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
326f9cfd81b009a73d0a6dd9065f3a35

SHA1
183fdc9c48ff1a74c835c1f96e7a00bc9ea8da89

SHA256
8afaca6d563c152ea71df14a56becb6695871314d73dcb72ebde72e75ee06a7f

SHA512
5fd728a763e719e2986463d22950b025142c246d899f83bf853f9a83ba6bd885ee8d5d71e991b942c94076e374512d376ec5120af0203e3b331e1372f5abd584

Download Submit
C:\Users\Admin\AppData\Local\Temp\DangerousRAT.exe

Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pblsxziib.vbs

Filesize
117B

MD5
a2bde8651257c1619a01520a092e3871

SHA1
0b56111496c724038b00222639658856962c7ab7

SHA256
ff5ad6b32f7c48563c4c2686cdd55b5005e729da4b932dc0e7689aa7c182e0df

SHA512
dbf9c9141c1d2df2905b8ad8169e33e7d8328dfd7f19119163601b5f7a06b380f7836fe0d276929d0fb40e29337a28f5ae6b1a8bcd115e10dac03ec3317e525b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rtlieujwqeasnagwindows update.vbs

Filesize
614KB

MD5
b14587cd6b30dea73f73d6138ea9d259

SHA1
e289a674f9b1138c1b8f392ec752c912800be0cc

SHA256
f5359df2aaa02fbfae540934f3e8f8a2ab362f7ee92dda536846afb67cea1b02

SHA512
5ac61b9eb9fbdca73e6ecfdb59e199419de0feb57f77652d8fbfebd543450fde593d375f76b5eb9a9bcd6f6c1dd01298dc1dc55f8e9844333b94ac49a3755f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Services Help.exe

Filesize
518KB

MD5
8a20ca605ca1ce7803ffb9e2219d5206

SHA1
88f2d6daf773b62d7913acce676b72b0818c2e08

SHA256
2c8aa2ce1b5b818d7a66f24cbb30d664d5618af94248ebf9c55e713c1f97d162

SHA512
0e4abf37ed5b528712662bf03bd4afb384fba9448d51a26cce03cb68cce4e018f5b295bea7b137146814fbe891e46348034e07c36b6ad47faf18b79ad198b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Services Update.exe

Filesize
489KB

MD5
7e805a295cc926c83de5913878219200

SHA1
ade9551bcaf138334054c6d16ae928bd107144a3

SHA256
afadf913b2d2a4caacc2b893c049b75766596efb4adfedbf217f618d4e4a8eb5

SHA512
18115735c618c5d44f1ebdfd2e8d455bc0f611481f3a652510abeca1b3c4829c4189aebe9d570359ab0b1b13574727ae3641db66080e43cb9a6b281bfcc6634f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Services.exe

Filesize
468KB

MD5
b0a2c3ad7d88f8928f7e1fce28223228

SHA1
2d53080eedf02ebc1c87f33b2bf51e60071863e0

SHA256
4693e7ec8479b765e57bf6dc2b2eb11ddd3523fe4cf76a3fd3c8d449fd17953f

SHA512
b9eed874f4fb9b903fac4f9f150e6bf4e7a79e62e5174ce4082600a402626a17cac74730028fd0ace092a76b94d2197518dcd05d8d3ad52330cfabc3195ae95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Fiswjsizjcjynjqomep.vbs

Filesize
181B

MD5
f1502081d1172131e3d33d384d1adb56

SHA1
85e44eb1e8c5b2911f8d6fcd339d4b3079b61eb4

SHA256
e39b7fbb84070e09b663dde6fe11b1048eeeede75c5eb521af28530389cae0c4

SHA512
5b61adb8ba73ef00db17183c9d569f9eb20196d05946ae082bcbf21aaca483b76ca83fb108329f73150bf43108a9c970474037861bc12a09f3d998de8d4057f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ml4vqpa1.jb1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/116-145-0x0000000000CA0000-0x0000000000CC8000-memory.dmp

Filesize
160KB

Download
memory/116-52-0x00000000004B0000-0x0000000000538000-memory.dmp

Filesize
544KB

Download
memory/116-134-0x00000000060B0000-0x00000000060FA000-memory.dmp

Filesize
296KB

Download
memory/412-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-50-0x00007FFB82660000-0x00007FFB83001000-memory.dmp

Filesize
9.6MB

Download
memory/688-0-0x00007FFB82915000-0x00007FFB82916000-memory.dmp

Filesize
4KB

Download
memory/688-5-0x00007FFB82660000-0x00007FFB83001000-memory.dmp

Filesize
9.6MB

Download
memory/688-2-0x00007FFB82660000-0x00007FFB83001000-memory.dmp

Filesize
9.6MB

Download
memory/688-1-0x000000001C730000-0x000000001C7D6000-memory.dmp

Filesize
664KB

Download
memory/752-92-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/1056-186-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1468-103-0x00000000060F0000-0x0000000006444000-memory.dmp

Filesize
3.3MB

Download
memory/1468-132-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/1904-93-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/1904-64-0x0000000005D00000-0x0000000006054000-memory.dmp

Filesize
3.3MB

Download
memory/1904-60-0x00000000055F0000-0x0000000005C18000-memory.dmp

Filesize
6.2MB

Download
memory/1904-59-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download
memory/2028-237-0x0000000075BF0000-0x0000000075C3C000-memory.dmp

Filesize
304KB

Download
memory/3172-161-0x0000000000B00000-0x0000000000B28000-memory.dmp

Filesize
160KB

Download
memory/3172-53-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/3172-137-0x0000000005260000-0x00000000052A4000-memory.dmp

Filesize
272KB

Download
memory/3172-51-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/3172-57-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/3244-225-0x0000000075BF0000-0x0000000075C3C000-memory.dmp

Filesize
304KB

Download
memory/3852-221-0x0000000007310000-0x00000000073B3000-memory.dmp

Filesize
652KB

Download
memory/3852-224-0x00000000060C0000-0x00000000060D1000-memory.dmp

Filesize
68KB

Download
memory/3852-236-0x0000000007780000-0x0000000007794000-memory.dmp

Filesize
80KB

Download
memory/3852-235-0x00000000060F0000-0x00000000060FE000-memory.dmp

Filesize
56KB

Download
memory/3852-223-0x0000000007860000-0x00000000078F6000-memory.dmp

Filesize
600KB

Download
memory/3852-180-0x0000000005B90000-0x0000000005EE4000-memory.dmp

Filesize
3.3MB

Download
memory/3852-222-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/3852-220-0x0000000007220000-0x000000000723E000-memory.dmp

Filesize
120KB

Download
memory/3852-248-0x00000000077A0000-0x00000000077A8000-memory.dmp

Filesize
32KB

Download
memory/3852-199-0x00000000065A0000-0x00000000065EC000-memory.dmp

Filesize
304KB

Download
memory/3852-209-0x0000000007240000-0x0000000007272000-memory.dmp

Filesize
200KB

Download
memory/3852-210-0x0000000075BF0000-0x0000000075C3C000-memory.dmp

Filesize
304KB

Download
memory/3852-247-0x00000000077E0000-0x00000000077FA000-memory.dmp

Filesize
104KB

Download
memory/4360-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4476-63-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/4476-61-0x0000000005110000-0x0000000005132000-memory.dmp

Filesize
136KB

Download
memory/4476-62-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/4476-94-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/4476-95-0x00000000066A0000-0x00000000066BA000-memory.dmp

Filesize
104KB

Download
memory/5064-54-0x0000000000560000-0x000000000109E000-memory.dmp

Filesize
11.2MB

Download
memory/5064-58-0x0000000005640000-0x00000000056DC000-memory.dmp

Filesize
624KB

Download
memory/5108-140-0x0000000005730000-0x0000000005774000-memory.dmp

Filesize
272KB

Download
memory/5108-56-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/5108-55-0x0000000000B90000-0x0000000000C0C000-memory.dmp

Filesize
496KB

Download
memory/5108-183-0x0000000006A60000-0x0000000006A84000-memory.dmp

Filesize
144KB

Download