Malware analysis /Myshas/Data-Encoder-Crypter-Encoded-Aes-Hidden-Startup/raw/main/Data%20Encoder%20Src/DataEncoder%20Crypte%E2%80%AEnls..scr Malicious activity

Add for printing

download:	/Myshas/Data-Encoder-Crypter-Encoded-Aes-Hidden-Startup/raw/main/Data%20Encoder%20Src/DataEncoder%20Crypte%E2%80%AEnls..scr
Full analysis:	https://app.any.run/tasks/c506335a-5b49-4e68-9423-2cf8a5d95790
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 20, 2024, 11:09:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github api-base64 rat asyncrat remote evasion telegram phishing exfiltration stealer found-by-newdark
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	7C031479DEDAB585B453098453A09F35
SHA1:	401EC0BF7CE170A67C0317150C2B83885E8ABC54
SHA256:	138BE3A5769AF371A332CF9404CCA591CD78D594D6A072FA8047E222AC92770E
SSDEEP:	12288:6B3nNy7YxUxwiHiNa16z+VKJD0fSKz/dWDHKcD2k:enNyMxHiHcKVKJD0fSKz1WzKcD2k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - 7z.exe (PID: 7144)
  - MicrosoftCorporation.exe (PID: 3020)
  - 7z.exe (PID: 5948)
  - WinSAT.exe (PID: 5168)
  - Runtime Broker.exe (PID: 7012)
  - 7z.exe (PID: 7076)
  - Microsoft.exe (PID: 5108)
  - 7z.exe (PID: 8160)
- Changes the autorun value in the registry
  - Service.exe (PID: 5772)
  - Service.exe (PID: 2060)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 5720)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7700)
- Adds path to the Windows Defender exclusion list
  - cmd.exe (PID: 5720)
- UAC/LUA settings modification
  - reg.exe (PID: 3944)
- ASYNCRAT has been detected (SURICATA)
  - RegAsm.exe (PID: 6384)
  - RegAsm.exe (PID: 7840)
- Windows Defender preferences modified via 'Set-MpPreference'
  - cmd.exe (PID: 5720)
- Uses Task Scheduler to run other applications
  - MicrosoftCorporation.exe (PID: 3020)
  - cmd.exe (PID: 7424)
  - cmd.exe (PID: 6492)
  - cmd.exe (PID: 6044)
  - cmd.exe (PID: 7548)
  - cmd.exe (PID: 7996)
- The DLL Hijacking
  - Microsoft.exe (PID: 3108)
- Attempting to use instant messaging service
  - MicrosoftCorporation.exe (PID: 3020)
- Stealers network behavior
  - MicrosoftCorporation.exe (PID: 3020)
SUSPICIOUS
- Drops 7-zip archiver for unpacking
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - WinSAT.exe (PID: 5168)
- Executable content was dropped or overwritten
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
  - 7z.exe (PID: 7144)
  - 7z.exe (PID: 5948)
  - WinSAT.exe (PID: 5168)
  - Runtime Broker.exe (PID: 7012)
  - 7z.exe (PID: 7076)
  - 7z.exe (PID: 8160)
  - Microsoft.exe (PID: 5108)
- Reads security settings of Internet Explorer
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
  - WinSAT.exe (PID: 5168)
- Application launched itself
  - MicrosoftCorporation.exe (PID: 8084)
  - cmd.exe (PID: 1964)
  - Runtime Broker.exe (PID: 7012)
  - Microsoft.exe (PID: 5108)
  - cmd.exe (PID: 7044)
- The process executes VB scripts
  - MicrosoftCorporation.exe (PID: 3020)
  - cmd.exe (PID: 5408)
- Process drops legitimate windows executable
  - MicrosoftCorporation.exe (PID: 3020)
  - 7z.exe (PID: 7076)
  - Microsoft.exe (PID: 5108)
  - WinSAT.exe (PID: 5168)
- Runs shell command (SCRIPT)
  - cscript.exe (PID: 7300)
  - wscript.exe (PID: 8108)
- Likely accesses (executes) a file from the Public directory
  - cmd.exe (PID: 1964)
  - powershell.exe (PID: 6500)
  - Service.exe (PID: 5772)
  - cscript.exe (PID: 7300)
  - cmd.exe (PID: 7540)
  - cmd.exe (PID: 6880)
  - cmd.exe (PID: 7508)
  - attrib.exe (PID: 5464)
  - attrib.exe (PID: 5252)
  - attrib.exe (PID: 5716)
  - cmd.exe (PID: 5408)
  - wscript.exe (PID: 8108)
  - cmd.exe (PID: 7044)
  - powershell.exe (PID: 8116)
  - Service.exe (PID: 2060)
- Starts CMD.EXE for commands execution
  - cscript.exe (PID: 7300)
  - cmd.exe (PID: 1964)
  - Service.exe (PID: 5772)
  - Runtime Broker.exe (PID: 7012)
  - Microsoft.exe (PID: 5108)
  - wscript.exe (PID: 8108)
  - cmd.exe (PID: 7044)
  - Service.exe (PID: 2060)
- Identifying current user with WHOAMI command
  - cmd.exe (PID: 1964)
  - cmd.exe (PID: 7044)
- Executing commands from a ".bat" file
  - cscript.exe (PID: 7300)
  - Service.exe (PID: 5772)
  - Microsoft.exe (PID: 5108)
  - wscript.exe (PID: 8108)
  - Service.exe (PID: 2060)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 1964)
  - cmd.exe (PID: 7044)
- Powershell scripting: start process
  - cmd.exe (PID: 1964)
  - cmd.exe (PID: 116)
  - cmd.exe (PID: 7044)
  - cmd.exe (PID: 7392)
  - cmd.exe (PID: 7912)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 1964)
  - cmd.exe (PID: 5720)
  - cmd.exe (PID: 116)
  - cmd.exe (PID: 7044)
  - cmd.exe (PID: 7392)
  - cmd.exe (PID: 7912)
- Starts a Microsoft application from unusual location
  - Service.exe (PID: 5772)
  - Service.exe (PID: 2060)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 5720)
- Query Microsoft Defender preferences
  - cmd.exe (PID: 5720)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 5720)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 5720)
- The process creates files with name similar to system file names
  - MicrosoftCorporation.exe (PID: 3020)
  - 7z.exe (PID: 5948)
  - WinSAT.exe (PID: 5168)
  - 7z.exe (PID: 8160)
- Reads the date of Windows installation
  - MicrosoftCorporation.exe (PID: 3020)
- Contacting a server suspected of hosting an CnC
  - RegAsm.exe (PID: 6384)
  - RegAsm.exe (PID: 7840)
- Connects to unusual port
  - RegAsm.exe (PID: 6384)
  - RegAsm.exe (PID: 7840)
- Malware-specific behavior (creating "System.dll" in Temp)
  - WinSAT.exe (PID: 5168)
- Starts application with an unusual extension
  - cmd.exe (PID: 3836)
- Uses WMIC.EXE to obtain BIOS management information
  - cmd.exe (PID: 7768)
- Uses WMIC.EXE to obtain memory chip information
  - cmd.exe (PID: 8116)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 6872)
  - cmd.exe (PID: 6972)
- Checks for external IP
  - curl.exe (PID: 6104)
  - MicrosoftCorporation.exe (PID: 3020)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 6880)
  - cmd.exe (PID: 7508)
  - cmd.exe (PID: 7104)
  - cmd.exe (PID: 7540)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - MicrosoftCorporation.exe (PID: 3020)
- The process connected to a server suspected of theft
  - MicrosoftCorporation.exe (PID: 3020)
INFO
- Checks supported languages
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - 7z.exe (PID: 7144)
  - MicrosoftCorporation.exe (PID: 3020)
  - Service.exe (PID: 5772)
  - MicrosoftCorporation.exe (PID: 8084)
  - 7z.exe (PID: 5948)
  - aitstatic.exe (PID: 7212)
  - RegAsm.exe (PID: 6384)
  - ComSvcConfig.exe (PID: 8044)
  - RegAsm.exe (PID: 7840)
  - MicrosoftCertificateServices.exe (PID: 6944)
  - RegAsm.exe (PID: 8124)
  - WinSAT.exe (PID: 5168)
  - Runtime Broker.exe (PID: 2828)
  - chcp.com (PID: 6088)
  - curl.exe (PID: 6104)
  - Runtime Broker.exe (PID: 7012)
  - Runtime Broker.exe (PID: 6068)
  - Microsoft.exe (PID: 5108)
  - 7z.exe (PID: 7076)
  - Microsoft.exe (PID: 3108)
  - Microsoft.exe (PID: 6852)
  - 7z.exe (PID: 8160)
  - aitstatic.exe (PID: 5180)
  - RegAsm.exe (PID: 544)
  - Service.exe (PID: 2060)
  - ComSvcConfig.exe (PID: 6140)
  - RegAsm.exe (PID: 3500)
  - MicrosoftCertificateServices.exe (PID: 5660)
  - RegAsm.exe (PID: 6916)
- Reads the machine GUID from the registry
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
  - MicrosoftCorporation.exe (PID: 8084)
  - RegAsm.exe (PID: 6384)
  - aitstatic.exe (PID: 7212)
  - ComSvcConfig.exe (PID: 8044)
  - RegAsm.exe (PID: 7840)
  - RegAsm.exe (PID: 8124)
  - Runtime Broker.exe (PID: 7012)
  - MicrosoftCertificateServices.exe (PID: 6944)
  - RegAsm.exe (PID: 544)
  - aitstatic.exe (PID: 5180)
  - RegAsm.exe (PID: 3500)
  - ComSvcConfig.exe (PID: 6140)
  - RegAsm.exe (PID: 6916)
  - MicrosoftCertificateServices.exe (PID: 5660)
- Reads the computer name
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - 7z.exe (PID: 7144)
  - MicrosoftCorporation.exe (PID: 8084)
  - Service.exe (PID: 5772)
  - 7z.exe (PID: 5948)
  - MicrosoftCorporation.exe (PID: 3020)
  - aitstatic.exe (PID: 7212)
  - RegAsm.exe (PID: 6384)
  - ComSvcConfig.exe (PID: 8044)
  - RegAsm.exe (PID: 7840)
  - RegAsm.exe (PID: 8124)
  - MicrosoftCertificateServices.exe (PID: 6944)
  - WinSAT.exe (PID: 5168)
  - curl.exe (PID: 6104)
  - Runtime Broker.exe (PID: 7012)
  - Runtime Broker.exe (PID: 2828)
  - Runtime Broker.exe (PID: 6068)
  - 7z.exe (PID: 7076)
  - Microsoft.exe (PID: 5108)
  - Microsoft.exe (PID: 3108)
  - Microsoft.exe (PID: 6852)
  - 7z.exe (PID: 8160)
  - aitstatic.exe (PID: 5180)
  - RegAsm.exe (PID: 544)
  - Service.exe (PID: 2060)
  - ComSvcConfig.exe (PID: 6140)
  - RegAsm.exe (PID: 3500)
  - MicrosoftCertificateServices.exe (PID: 5660)
  - RegAsm.exe (PID: 6916)
- Creates files in the program directory
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
  - 7z.exe (PID: 7076)
  - Microsoft.exe (PID: 5108)
- Reads Environment values
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
  - RegAsm.exe (PID: 6384)
  - RegAsm.exe (PID: 7840)
  - Runtime Broker.exe (PID: 7012)
  - Microsoft.exe (PID: 5108)
- Reads the software policy settings
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
  - RegAsm.exe (PID: 6384)
  - RegAsm.exe (PID: 7840)
- Disables trace logs
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
- Checks proxy server information
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
  - Runtime Broker.exe (PID: 7012)
  - Microsoft.exe (PID: 5108)
- Reads Microsoft Office registry keys
  - OpenWith.exe (PID: 8180)
- Create files in a temporary directory
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - 7z.exe (PID: 7144)
  - MicrosoftCorporation.exe (PID: 3020)
  - Service.exe (PID: 5772)
  - 7z.exe (PID: 5948)
  - WinSAT.exe (PID: 5168)
  - Runtime Broker.exe (PID: 7012)
  - Microsoft.exe (PID: 5108)
  - 7z.exe (PID: 8160)
  - Service.exe (PID: 2060)
- Creates files or folders in the user directory
  - c506335a-5b49-4e68-9423-2cf8a5d95790.exe (PID: 6800)
  - MicrosoftCorporation.exe (PID: 3020)
  - Microsoft.exe (PID: 5108)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 7300)
  - WMIC.exe (PID: 6524)
  - WMIC.exe (PID: 7376)
- Checks operating system version
  - cmd.exe (PID: 1964)
  - cmd.exe (PID: 7044)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7700)
- Potential library load (Base64 Encoded 'LoadLibrary')
  - MicrosoftCorporation.exe (PID: 3020)
  - Microsoft.exe (PID: 5108)
- Potential dynamic function import (Base64 Encoded 'GetProcAddress')
  - MicrosoftCorporation.exe (PID: 3020)
  - Microsoft.exe (PID: 5108)
- Potential access to remote process (Base64 Encoded 'OpenProcess')
  - MicrosoftCorporation.exe (PID: 3020)
  - Microsoft.exe (PID: 5108)
- Process checks computer location settings
  - MicrosoftCorporation.exe (PID: 3020)
- Reads product name
  - Microsoft.exe (PID: 5108)
- The executable file from the user directory is run by the Powershell process
  - aitstatic.exe (PID: 5180)
  - ComSvcConfig.exe (PID: 6140)
  - MicrosoftCertificateServices.exe (PID: 5660)
- Reads CPU info
  - MicrosoftCorporation.exe (PID: 3020)
- Attempting to use instant messaging service
  - MicrosoftCorporation.exe (PID: 3020)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2064:05:07 09:41:15+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	319488
InitializedDataSize:	40448
UninitializedDataSize:	-
EntryPoint:	0x4fefe
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	YnkgdW5rbm93bg==
FileDescription:	Microsoft Visual Studio Solution (.sln)
FileVersion:	1.0.0.0
InternalName:	VisualStudio.exe
LegalCopyright:	Microsoft Visual Studio Solution (.sln)
LegalTrademarks:	-
OriginalFileName:	VisualStudio.exe
ProductName:	Microsoft Visual Studio Solution (.sln)
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

276

Monitored processes

130

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -Command "Start-Process -FilePath 'C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe'""

C:\Windows\System32\cmd.exe

—

Microsoft.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

544

#system32

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

—

aitstatic.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Assembly Registration Utility

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

636

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

912

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1032

powershell -Command "Start-Process -FilePath 'C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\aitstatic.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll

1164

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1340

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1796

schtasks /create /tn "DobeDiscovery" /tr "C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ComSvcConfig.exe" /st 00:00 /du 9999:59 /sc once /ri 10 /f

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1956

attrib +h +s "C:\ProgramData\lock.ddmb"

C:\Windows\System32\attrib.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Attribute Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1964

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\Public\Videos\b.bat" "

C:\Windows\SysWOW64\cmd.exe

—

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

115 793

Read events

115 667

Write events

124

Delete events

Modification events


(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6800) c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\c506335a-5b49-4e68-9423-2cf8a5d95790_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

134

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3020	MicrosoftCorporation.exe	C:\Users\admin\AppData\Local\Temp\0501748c-d414-4609-b8d2-ce6062af69bc.7z		—
		MD5:—	SHA256:—
5948	7z.exe	C:\Users\admin\AppData\Local\Temp\V0501748c-d414-4609-b8d2-ce6062af69bc\WinSAT.exe		—
		MD5:—	SHA256:—
6800	c506335a-5b49-4e68-9423-2cf8a5d95790.exe	C:\ProgramData\sevenZip\7z.exe		executable
		MD5:C31C4B04558396C6FABAB64DCF366534	SHA256:9D182F421381429FD77598FEB609FEFB54DCAEF722DDBF5AA611B68A706C10D3
6800	c506335a-5b49-4e68-9423-2cf8a5d95790.exe	C:\Users\admin\AppData\Local\Temp\rpymxh55.jfr.sln		text
		MD5:3FB112D052DEDC474FB9BD48B985BFEF	SHA256:61AAB92DA76C8919A2D029B4CDD3223F853802B5F799B1859CF5B96E6AE22CA2
3020	MicrosoftCorporation.exe	C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WinSAT.exe		—
		MD5:—	SHA256:—
6800	c506335a-5b49-4e68-9423-2cf8a5d95790.exe	C:\Users\admin\AppData\Roaming\Microsoft\Vault\muck_error_20240720_110911.log		text
		MD5:EB1A9671961A2A08B6EE14D827CB5272	SHA256:292B49A74D738F735B02CF7C7B6BA4357D2E21F44A9AAA8F98ABA6ED36306727
5168	WinSAT.exe	C:\Users\admin\AppData\Local\Temp\nse88B3.tmp\app-32.7z		—
		MD5:—	SHA256:—
5772	Service.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\babel.bat		text
		MD5:EE59AD824AB63DA2F08C4DB2F809A146	SHA256:F79EA324982A5E2EC73A3A6A7ACD13CBFBD83BF28267EE4FEC5098E332450730
6500	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bxh05qzj.nrz.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6500	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sgafrqig.hvf.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6104	curl.exe	GET	200	172.67.74.152:80	http://api.ipify.org/	unknown	—	—	whitelisted
3020	MicrosoftCorporation.exe	GET	200	172.67.74.152:80	http://api.ipify.org/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5620	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4716	svchost.exe	40.126.32.140:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
7856	svchost.exe	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2760	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6800	c506335a-5b49-4e68-9423-2cf8a5d95790.exe	49.12.202.237:443	www.7-zip.org	Hetzner Online GmbH	DE	unknown
6800	c506335a-5b49-4e68-9423-2cf8a5d95790.exe	172.67.75.40:443	rentry.co	CLOUDFLARENET	US	unknown
6800	c506335a-5b49-4e68-9423-2cf8a5d95790.exe	185.199.110.133:443	raw.githubusercontent.com	FASTLY	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
login.live.com	40.126.32.140 40.126.32.68 40.126.32.72 20.190.160.17 20.190.160.14 40.126.32.136 40.126.32.74 20.190.160.22	whitelisted
google.com	142.250.186.174	whitelisted
www.7-zip.org	49.12.202.237	whitelisted
rentry.co	172.67.75.40 104.26.2.16 104.26.3.16	unknown
raw.githubusercontent.com	185.199.110.133 185.199.108.133 185.199.111.133 185.199.109.133	shared
text.is	188.114.97.3 188.114.96.3	unknown
paste.fo	172.67.144.225 104.21.28.76	malicious
cdn.gilcdn.com	3.160.150.40 3.160.150.17 3.160.150.117 3.160.150.55	unknown
muckcompany.store	82.197.83.213	unknown

Threats

PID	Process	Class	Message
2168	svchost.exe	Misc activity	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
6800	c506335a-5b49-4e68-9423-2cf8a5d95790.exe	Misc activity	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
2168	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
6384	RegAsm.exe	Domain Observed Used for C2 Detected	REMOTE [ANY.RUN] AsyncRAT SSL certificate
6384	RegAsm.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT Style SSL Cert
6384	RegAsm.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
7840	RegAsm.exe	Domain Observed Used for C2 Detected	REMOTE [ANY.RUN] AsyncRAT SSL certificate
7840	RegAsm.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT Style SSL Cert
7840	RegAsm.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
6384	RegAsm.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] AsyncRAT Successful Connection

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

/Myshas/Data-Encoder-Crypter-Encoded-Aes-Hidden-Startup/raw/main/Data%20Encoder%20Src/DataEncoder%20Crypte%E2%80%AEnls..scr

7C031479DEDAB585B453098453A09F35

401EC0BF7CE170A67C0317150C2B83885E8ABC54

138BE3A5769AF371A332CF9404CCA591CD78D594D6A072FA8047E222AC92770E

12288:6B3nNy7YxUxwiHiNa16z+VKJD0fSKz/dWDHKcD2k:enNyMxHiHcKVKJD0fSKz1WzKcD2k

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Adds path to the Windows Defender exclusion list

UAC/LUA settings modification

ASYNCRAT has been detected (SURICATA)

Windows Defender preferences modified via 'Set-MpPreference'

Uses Task Scheduler to run other applications

The DLL Hijacking

Attempting to use instant messaging service

Stealers network behavior

SUSPICIOUS

Drops 7-zip archiver for unpacking

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Application launched itself

The process executes VB scripts

Process drops legitimate windows executable

Runs shell command (SCRIPT)

Likely accesses (executes) a file from the Public directory

Starts CMD.EXE for commands execution

Identifying current user with WHOAMI command

Executing commands from a ".bat" file

Using 'findstr.exe' to search for text patterns in files and output

Powershell scripting: start process

Starts POWERSHELL.EXE for commands execution

Starts a Microsoft application from unusual location

Script adds exclusion path to Windows Defender

Query Microsoft Defender preferences

The process bypasses the loading of PowerShell profile settings

Uses REG/REGEDIT.EXE to modify registry

The process creates files with name similar to system file names

Reads the date of Windows installation

Contacting a server suspected of hosting an CnC

Connects to unusual port

Malware-specific behavior (creating "System.dll" in Temp)

Starts application with an unusual extension

Uses WMIC.EXE to obtain BIOS management information

Uses WMIC.EXE to obtain memory chip information

Uses TASKKILL.EXE to kill process

Checks for external IP

Uses ATTRIB.EXE to modify file attributes

Process communicates with Telegram (possibly using it as an attacker's C2 server)

The process connected to a server suspected of theft

INFO

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Creates files in the program directory

Reads Environment values

Reads the software policy settings

Disables trace logs

Checks proxy server information

Reads Microsoft Office registry keys

Create files in a temporary directory

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Checks operating system version

Script raised an exception (POWERSHELL)

Potential library load (Base64 Encoded 'LoadLibrary')

Potential dynamic function import (Base64 Encoded 'GetProcAddress')

Potential access to remote process (Base64 Encoded 'OpenProcess')

Process checks computer location settings

Reads product name

The executable file from the user directory is run by the Powershell process

Reads CPU info

Attempting to use instant messaging service