Malware analysis 05bc64e823174c1bdf0b80db4ca19037.exe Malicious activity

Add for printing

File name:	05bc64e823174c1bdf0b80db4ca19037.exe
Full analysis:	https://app.any.run/tasks/3cad07c7-0e37-40b5-9a85-c63c97f8c50c
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	December 02, 2023, 16:35:23
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	autoit asyncrat
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386, for MS Windows
MD5:	05BC64E823174C1BDF0B80DB4CA19037
SHA1:	CC4FD4CE2A491334122E00AE211F4F764CEDF20C
SHA256:	52F039142BB84B5268A2C83138818D3E89C3000F48EFD4405BFB22F1E3F9EA87
SSDEEP:	49152:ZBgzgT4XnQtJn0v2n5vU/Y4DnB2aWl+G/bsH2jyti3pUMP3zIbdV52gl:we43unpUgyB2/zssytipLzIp2gl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 05bc64e823174c1bdf0b80db4ca19037.exe (PID: 2604)
  - cmd.exe (PID: 1308)
  - Perceived.pif (PID: 1104)
- Create files in the Startup directory
  - cmd.exe (PID: 1760)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 2800)
- ASYNCRAT has been detected (YARA)
  - RegAsm.exe (PID: 2652)
SUSPICIOUS
- Application launched itself
  - cmd.exe (PID: 2216)
  - cmd.exe (PID: 2796)
- Starts CMD.EXE for commands execution
  - 05bc64e823174c1bdf0b80db4ca19037.exe (PID: 2604)
  - cmd.exe (PID: 2796)
  - cmd.exe (PID: 2216)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 2796)
- Drops the AutoIt3 executable file
  - cmd.exe (PID: 1308)
  - Perceived.pif (PID: 1104)
- Get information on the list of running processes
  - cmd.exe (PID: 2796)
- Starts application with an unusual extension
  - cmd.exe (PID: 2796)
- The process creates files with name similar to system file names
  - Perceived.pif (PID: 1104)
- Process drops legitimate windows executable
  - Perceived.pif (PID: 1104)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 2796)
- Connects to unusual port
  - RegAsm.exe (PID: 2652)
INFO
- Checks supported languages
  - 05bc64e823174c1bdf0b80db4ca19037.exe (PID: 2604)
  - Perceived.pif (PID: 1104)
  - RegAsm.exe (PID: 2652)
- Create files in a temporary directory
  - 05bc64e823174c1bdf0b80db4ca19037.exe (PID: 2604)
  - Perceived.pif (PID: 1104)
- The executable file from the user directory is run by the CMD process
  - Perceived.pif (PID: 1104)
- Manual execution by a user
  - cmd.exe (PID: 2800)
  - RegAsm.exe (PID: 2652)
  - cmd.exe (PID: 1760)
- Reads the computer name
  - Perceived.pif (PID: 1104)
  - RegAsm.exe (PID: 2652)
- Reads mouse settings
  - Perceived.pif (PID: 1104)
- Creates files or folders in the user directory
  - Perceived.pif (PID: 1104)
  - RegAsm.exe (PID: 2652)
- Reads Environment values
  - RegAsm.exe (PID: 2652)
- Reads the machine GUID from the registry
  - RegAsm.exe (PID: 2652)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AsyncRat

(PID) Process(2652) RegAsm.exe

C2 (1)185.196.8.10

Ports (1)4449

BotnetAsguard-Protector

VersionBlackMAMBA

Options

AutoRunfalse

Mutexsogbvjdjlqcviydtz

InstallFolder%AppData%

BSoDfalse

AntiVMfalse

Certificates

Cert1MIICPzCCAaigAwIBAgIVAKWGRBApNXBWvuhH6s5twg/lB3gVMA0GCSqGSIb3DQEBDQUAMG4xGjAYBgNVBAMMEUJsYWNrTUFNQkEgU2VydmVyMRMwEQYDVQQLDApxd3FkYW5jaHVuMSEwHwYDVQQKDBhCbGFja01BTUJBIEJ5IHF3cWRhbmNodW4xCzAJBgNVBAcMAlNIMQswCQYDVQQGEwJDTjAeFw0yMzAxMDYxNDQyNTRaFw0zMzEwMTUxNDQyNTRaMBUxEzARBgNVBAMMCkJsYWNrTUFNQkEwgZ8wDQYJ...

Server_SignaturecEWggU7zPvgj267X3909i9blrcVw1j2pppLcv2HscrzjWygUxZ6EizlyO+nlo/cBEkYHqEsycu7beDX3JTE1SHWDJGDIWgd8Q/Aw/ckn9mVAD9xUsV4cCLCSu4R6FMfY+ip+YSnWsnGVfQZ4LK7vOSbE/HZKPXGOqAE8rFy8BS4=

Keys

AES7dffcab2e160da7f4f62ad76fc30b4bd49cb4f7ac6683a2d7d8c7be51d6c3fa3

SaltVenomRATByVenom

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable Delphi generic (37.4)
.scr	\|	Windows screen saver (34.5)
.exe	\|	Win32 Executable (generic) (11.9)
.exe	\|	Win16/32 Executable Delphi generic (5.4)
.exe	\|	Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2003:02:18 17:19:50+01:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	437248
InitializedDataSize:	893952
UninitializedDataSize:	-
EntryPoint:	0x6c788
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows command line
FileVersionNumber:	9.326.9.24565
ProductVersionNumber:	9.326.9.24565
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	Ð£Ð¿Ñ€Ð°Ð²Ð»ÐµÐ½Ð¸Ðµ Ð¼ÐµÐ½Ñ‚Ð°Ð»ÑŒÐ½Ñ‹Ð¼ Ð·Ð´Ð¾Ñ€Ð¾Ð²ÑŒÐµÐ¼ Ð¸ Ð¿ÑÐ¸Ñ…Ð¾Ð»Ð¾Ð³Ð¸Ñ‡ÐµÑÐºÐ¾Ð¹ ÑÐ¸Ð»Ð¾Ð¹
CompanyName:	MindWave
FileDescription:	Ð£Ð¿Ñ€Ð°Ð²Ð»ÐµÐ½Ð¸Ðµ Ð¼ÐµÐ½Ñ‚Ð°Ð»ÑŒÐ½Ñ‹Ð¼ Ð·Ð´Ð¾Ñ€Ð¾Ð²ÑŒÐµÐ¼ Ð¸ Ð¿ÑÐ¸Ñ…Ð¾Ð»Ð¾Ð³Ð¸Ñ‡ÐµÑÐºÐ¾Ð¹ ÑÐ¸Ð»Ð¾Ð¹
FileVersion:	9.326.9.90101
InternalName:	MindWave
LegalCopyright:	Copyright © MindWave Wellness 2008
ProductName:	MindWave
ProductVersion:	9.326.9.90101

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

776

ping -n 5 localhost

C:\Windows\SysWOW64\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

TCP/IP Ping Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1104

27485\Perceived.pif 27485\q

C:\Users\admin\AppData\Local\Temp\13401\27485\Perceived.pif

—

cmd.exe

User:

admin

Company:

AutoIt Team

Integrity Level:

MEDIUM

Description:

AutoIt v3 Script (Beta)

Exit code:

Version:

3, 3, 15, 4

Modules

Images
c:\users\admin\appdata\local\temp\13401\27485\perceived.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll

1308

cmd /c copy /b Infected + Tin + Excited + Condo 27485\Perceived.pif

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1408

cmd /c mkdir 27485

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1760

cmd /k echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave.url" & echo URL="C:\Users\admin\AppData\Local\MindWave Wellness\MindWave.js" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave.url" & exit

C:\Windows\System32\cmd.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2092

schtasks.exe /create /tn "Liquid" /tr "wscript 'C:\Users\admin\AppData\Local\MindWave Wellness\MindWave.js'" /sc minute /mo 3 /F

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

2216

cmd /k cmd < Enjoyed & exit

C:\Windows\SysWOW64\cmd.exe

—

05bc64e823174c1bdf0b80db4ca19037.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2300

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2316

cmd /c copy /b Orders + Cylinder 27485\q

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2604

"C:\Users\admin\AppData\Local\Temp\05bc64e823174c1bdf0b80db4ca19037.exe"

C:\Users\admin\AppData\Local\Temp\05bc64e823174c1bdf0b80db4ca19037.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\05bc64e823174c1bdf0b80db4ca19037.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

865

Read events

851

Write events

Delete events

Modification events


(PID) Process:	(2652) RegAsm.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2604	05bc64e823174c1bdf0b80db4ca19037.exe	C:\Users\admin\AppData\Local\Temp\13401\Excited		binary
		MD5:00B06C10CB0E907952EABC40D1066AF7	SHA256:FFD97D25C9D8E9A8B73C520745362828516689EA21489A60A891330030CF7675
2604	05bc64e823174c1bdf0b80db4ca19037.exe	C:\Users\admin\AppData\Local\Temp\13401\Infected		executable
		MD5:610A3DAD1E9C4E1E7FA902D90A27A626	SHA256:BAC0673233D6DAF1969CA8E084720B278F2E31F62C0DE1928B82885B8C893C7D
1308	cmd.exe	C:\Users\admin\AppData\Local\Temp\13401\27485\Perceived.pif		executable
		MD5:BFA84DBDE0DF8F1CAD3E179BD46A6E34	SHA256:6DE412B8674FFBA5D78FF9D36ABFFBE2CF86FD08B2231592FCA2FCF41F1F2314
2604	05bc64e823174c1bdf0b80db4ca19037.exe	C:\Users\admin\AppData\Local\Temp\13401\Cylinder		text
		MD5:28E2CBC2124D320395A949737C933C46	SHA256:35FD665E063AECCE54E6448C08B36D2C45749BBB7FE52C796E56E68E8F88558A
1104	Perceived.pif	C:\Users\admin\AppData\Local\MindWave Wellness\v		text
		MD5:2AEB25B87C0CB6A8F360F66CA69EDD70	SHA256:614DEC82F15CD338C88A43542B5BAB568A4A0C74FB52C0D8362A7D43E75CF8AF
1104	Perceived.pif	C:\Users\admin\AppData\Local\MindWave Wellness\MindWave.pif		executable
		MD5:BFA84DBDE0DF8F1CAD3E179BD46A6E34	SHA256:6DE412B8674FFBA5D78FF9D36ABFFBE2CF86FD08B2231592FCA2FCF41F1F2314
1760	cmd.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindWave.url		text
		MD5:353795816AE5B37D44A9024159D27EA8	SHA256:C0FC703B325B80CD526B0CF1AAA1A1BFEBBBFCB68A00B2493F690B950722E242
2316	cmd.exe	C:\Users\admin\AppData\Local\Temp\13401\27485\q		text
		MD5:2AEB25B87C0CB6A8F360F66CA69EDD70	SHA256:614DEC82F15CD338C88A43542B5BAB568A4A0C74FB52C0D8362A7D43E75CF8AF
1104	Perceived.pif	C:\Users\admin\AppData\Local\Temp\13401\27485\RegAsm.exe		executable
		MD5:B19FD9298FF205E8718CDEF5C19DF6FE	SHA256:1E9516DA2DED24D635F5FAB0347D34CEB76E50B2A015EBB1EE3B8EE69DE5FAAE
1104	Perceived.pif	C:\Users\admin\AppData\Local\MindWave Wellness\MindWave.js		text
		MD5:75EC55C2A09B385C689AC5D02EB765DB	SHA256:BD45C660A53B61FB7B941509462A8031A2172F3E37F5D910DB3A164AD5BB2342

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2652	RegAsm.exe	185.196.8.10:4449	—	—	US	unknown

DNS requests

Domain	IP	Reputation
JiOWngCJdXjgubID.JiOWngCJdXjgubID	—	unknown
dns.msftncsi.com	131.107.255.255	shared

Threats

No threats detected

Add for printing

No debug info

General Info

05bc64e823174c1bdf0b80db4ca19037.exe

05BC64E823174C1BDF0B80DB4CA19037

CC4FD4CE2A491334122E00AE211F4F764CEDF20C

52F039142BB84B5268A2C83138818D3E89C3000F48EFD4405BFB22F1E3F9EA87

49152:ZBgzgT4XnQtJn0v2n5vU/Y4DnB2aWl+G/bsH2jyti3pUMP3zIbdV52gl:we43unpUgyB2/zssytipLzIp2gl

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Create files in the Startup directory

Uses Task Scheduler to run other applications

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Application launched itself

Starts CMD.EXE for commands execution

Using 'findstr.exe' to search for text patterns in files and output

Drops the AutoIt3 executable file

Get information on the list of running processes

Starts application with an unusual extension

The process creates files with name similar to system file names

Process drops legitimate windows executable

Runs PING.EXE to delay simulation

Connects to unusual port

INFO

Checks supported languages

Create files in a temporary directory

The executable file from the user directory is run by the CMD process

Manual execution by a user

Reads the computer name

Reads mouse settings

Creates files or folders in the user directory

Reads Environment values

Reads the machine GUID from the registry

Malware configuration

AsyncRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings