asyncrat | bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
04-04-2021 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1CEE64EFC81D4853D76E04A737F114C9.exe
Size

685KB
MD5

1cee64efc81d4853d76e04a737f114c9
SHA1

df7da998dd6a70631c6d8d1bd007f0820155d61c
SHA256

bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75
SHA512

eec88ead0f188bb84fd7a22fc8a1d392dec18e5d6715574f50de76466e5877e64c186c0a68892fbb385d68d76468c3c905e8ef26f4f937a224144ff424dd8f5b

Score

10^/10

asyncrat plaguebot botnet persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7G | Custom Edition

179.43.140.208:7707

179.43.140.208:8808

179.43.140.208:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:6606

Mutex

AsyncRAT_Mutex_vdYIIf87BI

Attributes

aes_key
Mrwz4gGTldVjtABCZMeijWElvNsBLIbU
anti_detection
false
autorun
false
bdos
false
delay
Trino
host
179.43.140.208,127.0.0.1
hwid
30
install_file
install_folder
%AppData%
mutex
AsyncRAT_Mutex_vdYIIf87BI
pastebin_config
null
port
7707,8808,6606
version
0.5.7G | Custom Edition

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1696-7-0x0000000000400000-0x0000000000480000-memory.dmp	asyncrat
behavioral1/memory/1696-8-0x00000000044D0000-0x000000000453A000-memory.dmp	asyncrat
behavioral1/memory/1696-14-0x0000000005100000-0x0000000005107000-memory.dmp	asyncrat

PlagueBot Executable 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\arvfcq.exe	plaguebot
\Users\Admin\AppData\Local\Temp\arvfcq.exe	plaguebot
\Users\Admin\AppData\Local\Temp\arvfcq.exe	plaguebot
C:\Users\Admin\AppData\Local\Temp\arvfcq.exe	plaguebot
\Users\Admin\Saved Games\Plague\winmgr.exe	plaguebot
\Users\Admin\Saved Games\Plague\winmgr.exe	plaguebot
C:\Users\Admin\Saved Games\Plague\winmgr.exe	plaguebot
C:\Users\Admin\Saved Games\Plague\winmgr.exe	plaguebot
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe	plaguebot

Executes dropped EXE 6 IoCs

Processes:

arvfcq.exewinmgr.exeaxirid.exeaxirid.exesihost64.exeServicesTeamWD.exe

pid process

1360 arvfcq.exe
944 winmgr.exe
1836 axirid.exe
1796 axirid.exe
824 sihost64.exe
1044 ServicesTeamWD.exe

pid	process
1360	arvfcq.exe
944	winmgr.exe
1836	axirid.exe
1796	axirid.exe
824	sihost64.exe
1044	ServicesTeamWD.exe

Drops startup file 3 IoCs

Processes:

arvfcq.exewinmgr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe	arvfcq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe	arvfcq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe	winmgr.exe

Loads dropped DLL 11 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exepowershell.exearvfcq.exepowershell.exeaxirid.exeaxirid.exeServicesTeamWD.exe

pid	process
2008	1CEE64EFC81D4853D76E04A737F114C9.exe
1660	powershell.exe
1660	powershell.exe
1360	arvfcq.exe
1360	arvfcq.exe
2012	powershell.exe
1836	axirid.exe
1836	axirid.exe
1796	axirid.exe
1796	axirid.exe
1044	ServicesTeamWD.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

axirid.exearvfcq.exeaxirid.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServicesTeamWD.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ServicesTeamWD.exe"	axirid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinManager = "C:\\Users\\Admin\\Saved Games\\Plague\\winmgr.exe"	arvfcq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBLOCK.exe = "C:\\Users\\Admin\\AppData\\Roaming\\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstu"	axirid.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exeaxirid.exe

description	pid	process	target process
PID 2008 set thread context of 1696	2008	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 1836 set thread context of 1796	1836	axirid.exe	axirid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 16 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\axirid.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\ServicesTeamWD.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\ServicesTeamWD.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1596 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

988 timeout.exe

pid	process
1596	schtasks.exe

pid	process
988	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exepowershell.exe1CEE64EFC81D4853D76E04A737F114C9.exepowershell.exeaxirid.exe

pid	process
2008	1CEE64EFC81D4853D76E04A737F114C9.exe
2008	1CEE64EFC81D4853D76E04A737F114C9.exe
2008	1CEE64EFC81D4853D76E04A737F114C9.exe
2008	1CEE64EFC81D4853D76E04A737F114C9.exe
1660	powershell.exe
1696	1CEE64EFC81D4853D76E04A737F114C9.exe
1660	powershell.exe
2012	powershell.exe
1696	1CEE64EFC81D4853D76E04A737F114C9.exe
2012	powershell.exe
1796	axirid.exe
1796	axirid.exe
1796	axirid.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exeaxirid.exe

pid process

2008 1CEE64EFC81D4853D76E04A737F114C9.exe
1836 axirid.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exepowershell.exepowershell.exeaxirid.exe

description	pid	process
Token: SeDebugPrivilege	1696	1CEE64EFC81D4853D76E04A737F114C9.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1796	axirid.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exe1CEE64EFC81D4853D76E04A737F114C9.execmd.exepowershell.exearvfcq.exewinmgr.execmd.execmd.exepowershell.exeaxirid.exeaxirid.exe

description	pid	process	target process
PID 2008 wrote to memory of 1696	2008	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 2008 wrote to memory of 1696	2008	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 2008 wrote to memory of 1696	2008	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 2008 wrote to memory of 1696	2008	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 2008 wrote to memory of 1696	2008	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 1696 wrote to memory of 1512	1696	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 1696 wrote to memory of 1512	1696	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 1696 wrote to memory of 1512	1696	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 1696 wrote to memory of 1512	1696	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 1512 wrote to memory of 1660	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 1660	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 1660	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 1660	1512	cmd.exe	powershell.exe
PID 1660 wrote to memory of 1360	1660	powershell.exe	arvfcq.exe
PID 1660 wrote to memory of 1360	1660	powershell.exe	arvfcq.exe
PID 1660 wrote to memory of 1360	1660	powershell.exe	arvfcq.exe
PID 1660 wrote to memory of 1360	1660	powershell.exe	arvfcq.exe
PID 1360 wrote to memory of 1596	1360	arvfcq.exe	schtasks.exe
PID 1360 wrote to memory of 1596	1360	arvfcq.exe	schtasks.exe
PID 1360 wrote to memory of 1596	1360	arvfcq.exe	schtasks.exe
PID 1360 wrote to memory of 1596	1360	arvfcq.exe	schtasks.exe
PID 1360 wrote to memory of 752	1360	arvfcq.exe	schtasks.exe
PID 1360 wrote to memory of 752	1360	arvfcq.exe	schtasks.exe
PID 1360 wrote to memory of 752	1360	arvfcq.exe	schtasks.exe
PID 1360 wrote to memory of 752	1360	arvfcq.exe	schtasks.exe
PID 1360 wrote to memory of 944	1360	arvfcq.exe	winmgr.exe
PID 1360 wrote to memory of 944	1360	arvfcq.exe	winmgr.exe
PID 1360 wrote to memory of 944	1360	arvfcq.exe	winmgr.exe
PID 1360 wrote to memory of 944	1360	arvfcq.exe	winmgr.exe
PID 944 wrote to memory of 920	944	winmgr.exe	schtasks.exe
PID 944 wrote to memory of 920	944	winmgr.exe	schtasks.exe
PID 944 wrote to memory of 920	944	winmgr.exe	schtasks.exe
PID 944 wrote to memory of 920	944	winmgr.exe	schtasks.exe
PID 944 wrote to memory of 1648	944	winmgr.exe	cmd.exe
PID 944 wrote to memory of 1648	944	winmgr.exe	cmd.exe
PID 944 wrote to memory of 1648	944	winmgr.exe	cmd.exe
PID 944 wrote to memory of 1648	944	winmgr.exe	cmd.exe
PID 1648 wrote to memory of 988	1648	cmd.exe	timeout.exe
PID 1648 wrote to memory of 988	1648	cmd.exe	timeout.exe
PID 1648 wrote to memory of 988	1648	cmd.exe	timeout.exe
PID 1648 wrote to memory of 988	1648	cmd.exe	timeout.exe
PID 1696 wrote to memory of 1576	1696	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 1696 wrote to memory of 1576	1696	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 1696 wrote to memory of 1576	1696	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 1696 wrote to memory of 1576	1696	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 1576 wrote to memory of 2012	1576	cmd.exe	powershell.exe
PID 1576 wrote to memory of 2012	1576	cmd.exe	powershell.exe
PID 1576 wrote to memory of 2012	1576	cmd.exe	powershell.exe
PID 1576 wrote to memory of 2012	1576	cmd.exe	powershell.exe
PID 2012 wrote to memory of 1836	2012	powershell.exe	axirid.exe
PID 2012 wrote to memory of 1836	2012	powershell.exe	axirid.exe
PID 2012 wrote to memory of 1836	2012	powershell.exe	axirid.exe
PID 2012 wrote to memory of 1836	2012	powershell.exe	axirid.exe
PID 1836 wrote to memory of 1796	1836	axirid.exe	axirid.exe
PID 1836 wrote to memory of 1796	1836	axirid.exe	axirid.exe
PID 1836 wrote to memory of 1796	1836	axirid.exe	axirid.exe
PID 1836 wrote to memory of 1796	1836	axirid.exe	axirid.exe
PID 1836 wrote to memory of 1796	1836	axirid.exe	axirid.exe
PID 1796 wrote to memory of 824	1796	axirid.exe	sihost64.exe
PID 1796 wrote to memory of 824	1796	axirid.exe	sihost64.exe
PID 1796 wrote to memory of 824	1796	axirid.exe	sihost64.exe
PID 1796 wrote to memory of 824	1796	axirid.exe	sihost64.exe
PID 1796 wrote to memory of 1044	1796	axirid.exe	ServicesTeamWD.exe
PID 1796 wrote to memory of 1044	1796	axirid.exe	ServicesTeamWD.exe

C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe
"C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe
  "C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\arvfcq.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\arvfcq.exe"'
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\arvfcq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\arvfcq.exe"
        5⤵
        Executes dropped EXE
        Drops startup file
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1360
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
        6⤵
        Creates scheduled task(s)
        
        PID:1596
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Query /FO "LIST" /TN "WinManager"
        6⤵
        
        PID:752
      - C:\Users\Admin\Saved Games\Plague\winmgr.exe
        
        "C:\Users\Admin\Saved Games\Plague\winmgr.exe" /wait
        6⤵
        Executes dropped EXE
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN "WinManager"
        7⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C timeout 5 & del /F /Q "C:\Users\Admin\Saved Games\Plague\*.*" & rmdir "C:\Users\Admin\Saved Games\Plague"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        8⤵
        Delays execution with timeout.exe
        
        PID:988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\axirid.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\axirid.exe"'
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Users\Admin\AppData\Local\Temp\axirid.exe
        
        "C:\Users\Admin\AppData\Local\Temp\axirid.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Users\Admin\AppData\Local\Temp\axirid.exe
        
        "C:\Users\Admin\AppData\Local\Temp\axirid.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe
        
        "C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c

MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8

MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422

MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf

MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6

MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
d4174ccad63d3ff60552281a586e52fb

SHA1
92834b18e050fc493f4bc322327c847a200d9854

SHA256
e6ac986521722f78fdad0b5509ead9611e2f05267b852b86ef71f6740f367777

SHA512
1d1a31cc82ceea8cab4d2a88caf3a8a140935ffcd51baa7a72344ac23b02d0e6b7ec49e85ec0d78cf015a8177d714875c42e2c204a1c9da83ddbb8c58fc6b657

Download Submit
C:\Users\Admin\AppData\Local\Temp\2lweucxvs4hw

MD5
f369cf0d7a1b980637d240c6c1a0249f

SHA1
9825ae942d7dcc761708883bcfafa9a6d23d95c9

SHA256
44aab1e2df1ddf1372a5ebf3bfee1fe89fc94ae3c8ecf6b30863e6bf8b9f1146

SHA512
b49688d9b73ea927d8c16f4d332242462bc90e3282fb94cc6567a900349f081e29290128e8149ee3235a4ee0f3b15e478cebb8b2beb077d72be098ec6dd7e7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NewTask.xml

MD5
040bab484e5dba8af40349187581d0e7

SHA1
112462e95867fe1626745cb77640c5ac90b62891

SHA256
7042c3ec72ad79d551af0821d6aafdf2f15d7959bd6c50a4fcb603b40ef38a23

SHA512
2bdd62bc1708725f07da50a097ded4df0b4c6ba378fef9b23342c26e6460b44c4e59b11e994f50381444c802a71e08d4477a7609e63cb710020bb30c8465d120

Download Submit
C:\Users\Admin\AppData\Local\Temp\arvfcq.exe

MD5
0fe9fdb50f12fd68762d7f9003b08185

SHA1
a8d3e7f674235b2334845fab4ec311d4677b3a74

SHA256
406644cd457a3bae4bc93d6e3a52ba0942a30c036b737dbcd5233725dc68430f

SHA512
6cd8745d4725e647a5f737557c5ede2b2553b61f230fb9fa44ce31344987fb2a1431b51c5c1ebaeac13ea1af08c2a4fe132e534f996d83432785fa61a7680ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\arvfcq.exe

MD5
0fe9fdb50f12fd68762d7f9003b08185

SHA1
a8d3e7f674235b2334845fab4ec311d4677b3a74

SHA256
406644cd457a3bae4bc93d6e3a52ba0942a30c036b737dbcd5233725dc68430f

SHA512
6cd8745d4725e647a5f737557c5ede2b2553b61f230fb9fa44ce31344987fb2a1431b51c5c1ebaeac13ea1af08c2a4fe132e534f996d83432785fa61a7680ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\axirid.exe

MD5
68a2075596a91ec5715f4a3152121d6e

SHA1
a1f021a348d6af1e45f9904f3b4e6d355c325180

SHA256
a2a63cfdbfd3df1f31ea71ba94ec2e2baeb0433cb82d56111822cd931ebd0e9d

SHA512
a18a682660fa7eb198495b0e4c2cf410379594d85d2e0cd40c5c0fa0dfcac282c87084e04a61debea7402cf60b53e4fdafaa78ae471b76bf66517722e52586db

Download Submit
C:\Users\Admin\AppData\Local\Temp\axirid.exe

MD5
68a2075596a91ec5715f4a3152121d6e

SHA1
a1f021a348d6af1e45f9904f3b4e6d355c325180

SHA256
a2a63cfdbfd3df1f31ea71ba94ec2e2baeb0433cb82d56111822cd931ebd0e9d

SHA512
a18a682660fa7eb198495b0e4c2cf410379594d85d2e0cd40c5c0fa0dfcac282c87084e04a61debea7402cf60b53e4fdafaa78ae471b76bf66517722e52586db

Download Submit
C:\Users\Admin\AppData\Local\Temp\axirid.exe

MD5
68a2075596a91ec5715f4a3152121d6e

SHA1
a1f021a348d6af1e45f9904f3b4e6d355c325180

SHA256
a2a63cfdbfd3df1f31ea71ba94ec2e2baeb0433cb82d56111822cd931ebd0e9d

SHA512
a18a682660fa7eb198495b0e4c2cf410379594d85d2e0cd40c5c0fa0dfcac282c87084e04a61debea7402cf60b53e4fdafaa78ae471b76bf66517722e52586db

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6mwv89qbsl

MD5
a2a8ee0443949f94cfd07fef3391b908

SHA1
64d39692f99806489f5bf5d6a702b3611edb2e3b

SHA256
566551270a76690f61815232012e246e82acae395a3cf5802aa76bc19ddd0c66

SHA512
1391c0bcd0915d3c3f9ae20e6eea2411c1bf15d52c146882cc95a1e74cc0c191ef2d57cd204a334a614f5cf2d44167f71c2b23aeaabd70dc4d2fb293c4fc55cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
bcccc120fe256a0027a957158a3e582b

SHA1
018bdf47070c72efa2560c3a67be3a614b79c14d

SHA256
b85abd94b004db20e4159e500d90784f38a3736ba7108900c7cc2ec0478f715f

SHA512
3df97c5a19aa3b5935aab590eea252a11005e26a1e42692d4d08a84272a5b44d7a87adbd5cb93b1da61449de233130626eda1a621d8f9392bd352b705a1797da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winmgr.exe

MD5
0fe9fdb50f12fd68762d7f9003b08185

SHA1
a8d3e7f674235b2334845fab4ec311d4677b3a74

SHA256
406644cd457a3bae4bc93d6e3a52ba0942a30c036b737dbcd5233725dc68430f

SHA512
6cd8745d4725e647a5f737557c5ede2b2553b61f230fb9fa44ce31344987fb2a1431b51c5c1ebaeac13ea1af08c2a4fe132e534f996d83432785fa61a7680ab5

Download Submit
C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe

MD5
68a2075596a91ec5715f4a3152121d6e

SHA1
a1f021a348d6af1e45f9904f3b4e6d355c325180

SHA256
a2a63cfdbfd3df1f31ea71ba94ec2e2baeb0433cb82d56111822cd931ebd0e9d

SHA512
a18a682660fa7eb198495b0e4c2cf410379594d85d2e0cd40c5c0fa0dfcac282c87084e04a61debea7402cf60b53e4fdafaa78ae471b76bf66517722e52586db

Download Submit
C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe

MD5
68a2075596a91ec5715f4a3152121d6e

SHA1
a1f021a348d6af1e45f9904f3b4e6d355c325180

SHA256
a2a63cfdbfd3df1f31ea71ba94ec2e2baeb0433cb82d56111822cd931ebd0e9d

SHA512
a18a682660fa7eb198495b0e4c2cf410379594d85d2e0cd40c5c0fa0dfcac282c87084e04a61debea7402cf60b53e4fdafaa78ae471b76bf66517722e52586db

Download Submit
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe

MD5
1d5eca4389c49a24711aaf027a808abf

SHA1
0d29cc3eb946fbbb5f7ded01b1db10f5fa4e6fd0

SHA256
e5c6d8ddb981a9b1b7ac2ccf3a69ca1159e230478d5522ec219bc7f83bab4d15

SHA512
68c0f0c896224823e8f54fada7fe690ee184ccc6c2683d0b218c3dd4fe949e44b68d0315f628be20b17af58a046a5bc71c9937f1c6ca7d1db4f1ff0fe8bac2c2

Download Submit
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe

MD5
1d5eca4389c49a24711aaf027a808abf

SHA1
0d29cc3eb946fbbb5f7ded01b1db10f5fa4e6fd0

SHA256
e5c6d8ddb981a9b1b7ac2ccf3a69ca1159e230478d5522ec219bc7f83bab4d15

SHA512
68c0f0c896224823e8f54fada7fe690ee184ccc6c2683d0b218c3dd4fe949e44b68d0315f628be20b17af58a046a5bc71c9937f1c6ca7d1db4f1ff0fe8bac2c2

Download Submit
C:\Users\Admin\Saved Games\Plague\winmgr.exe

MD5
36f100f5caa28c779b8c04545c4a1dec

SHA1
ea63760f2431df52437fccb5ff52687cb2db5b80

SHA256
f0d8b33a2eea7cf381d26bece74e780ca64efa335bc8f53742e24a65014a92db

SHA512
e38650709a9382016fd618b27e310a0ff0bd1cb8a878555f48936eddfb9f750849ad832392311bd65ed836605e977da13bbe88a9dac71ffd319014032b2201eb

Download Submit
C:\Users\Admin\Saved Games\Plague\winmgr.exe

MD5
36f100f5caa28c779b8c04545c4a1dec

SHA1
ea63760f2431df52437fccb5ff52687cb2db5b80

SHA256
f0d8b33a2eea7cf381d26bece74e780ca64efa335bc8f53742e24a65014a92db

SHA512
e38650709a9382016fd618b27e310a0ff0bd1cb8a878555f48936eddfb9f750849ad832392311bd65ed836605e977da13bbe88a9dac71ffd319014032b2201eb

Download Submit
\Users\Admin\AppData\Local\Temp\arvfcq.exe

MD5
0fe9fdb50f12fd68762d7f9003b08185

SHA1
a8d3e7f674235b2334845fab4ec311d4677b3a74

SHA256
406644cd457a3bae4bc93d6e3a52ba0942a30c036b737dbcd5233725dc68430f

SHA512
6cd8745d4725e647a5f737557c5ede2b2553b61f230fb9fa44ce31344987fb2a1431b51c5c1ebaeac13ea1af08c2a4fe132e534f996d83432785fa61a7680ab5

Download Submit
\Users\Admin\AppData\Local\Temp\arvfcq.exe

MD5
0fe9fdb50f12fd68762d7f9003b08185

SHA1
a8d3e7f674235b2334845fab4ec311d4677b3a74

SHA256
406644cd457a3bae4bc93d6e3a52ba0942a30c036b737dbcd5233725dc68430f

SHA512
6cd8745d4725e647a5f737557c5ede2b2553b61f230fb9fa44ce31344987fb2a1431b51c5c1ebaeac13ea1af08c2a4fe132e534f996d83432785fa61a7680ab5

Download Submit
\Users\Admin\AppData\Local\Temp\axirid.exe

MD5
68a2075596a91ec5715f4a3152121d6e

SHA1
a1f021a348d6af1e45f9904f3b4e6d355c325180

SHA256
a2a63cfdbfd3df1f31ea71ba94ec2e2baeb0433cb82d56111822cd931ebd0e9d

SHA512
a18a682660fa7eb198495b0e4c2cf410379594d85d2e0cd40c5c0fa0dfcac282c87084e04a61debea7402cf60b53e4fdafaa78ae471b76bf66517722e52586db

Download Submit
\Users\Admin\AppData\Local\Temp\axirid.exe

MD5
68a2075596a91ec5715f4a3152121d6e

SHA1
a1f021a348d6af1e45f9904f3b4e6d355c325180

SHA256
a2a63cfdbfd3df1f31ea71ba94ec2e2baeb0433cb82d56111822cd931ebd0e9d

SHA512
a18a682660fa7eb198495b0e4c2cf410379594d85d2e0cd40c5c0fa0dfcac282c87084e04a61debea7402cf60b53e4fdafaa78ae471b76bf66517722e52586db

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3718.tmp\ze0siavqq0.dll

MD5
a97a99b3d7b5837fa96311f2282726ea

SHA1
b7f4f1a53dd571329278805e3ec8592597bebac5

SHA256
77af7478333b6e8b984f3795fc77b5c05d4e518d8a9491bf7636e89916be9bd1

SHA512
1554a61b67e0242fc15aa697f33e1d348e0a471cfae0f6fd4c2215c1b02df9b0112b01c0dcea66e05aeba6aa2593435a599a4fc0bab546344f61deb8798ebe3c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi7D5B.tmp\ze0siavqq0.dll

MD5
a97a99b3d7b5837fa96311f2282726ea

SHA1
b7f4f1a53dd571329278805e3ec8592597bebac5

SHA256
77af7478333b6e8b984f3795fc77b5c05d4e518d8a9491bf7636e89916be9bd1

SHA512
1554a61b67e0242fc15aa697f33e1d348e0a471cfae0f6fd4c2215c1b02df9b0112b01c0dcea66e05aeba6aa2593435a599a4fc0bab546344f61deb8798ebe3c

Download Submit
\Users\Admin\AppData\Local\Temp\nss2F0D.tmp\bmzqq630.dll

MD5
7fa64127ee51ac86aa1d9a2a055abf65

SHA1
7a23d0774f7021b718e1b144249af8dcbba01db7

SHA256
708bc3f2bac4f7c2c54efdac158117155271e39d8cee325c31ef676824d765b3

SHA512
d8b71ddd412fe63ff0b0335d585c6d0a07075fe3dfa451657a803127d037e00ed805e30cdda937003a5c63ea07e37f9ed967c0b0376aed5729557ee5efb8ed57

Download Submit
\Users\Admin\AppData\Roaming\ServicesTeamWD.exe

MD5
68a2075596a91ec5715f4a3152121d6e

SHA1
a1f021a348d6af1e45f9904f3b4e6d355c325180

SHA256
a2a63cfdbfd3df1f31ea71ba94ec2e2baeb0433cb82d56111822cd931ebd0e9d

SHA512
a18a682660fa7eb198495b0e4c2cf410379594d85d2e0cd40c5c0fa0dfcac282c87084e04a61debea7402cf60b53e4fdafaa78ae471b76bf66517722e52586db

Download Submit
\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe

MD5
1d5eca4389c49a24711aaf027a808abf

SHA1
0d29cc3eb946fbbb5f7ded01b1db10f5fa4e6fd0

SHA256
e5c6d8ddb981a9b1b7ac2ccf3a69ca1159e230478d5522ec219bc7f83bab4d15

SHA512
68c0f0c896224823e8f54fada7fe690ee184ccc6c2683d0b218c3dd4fe949e44b68d0315f628be20b17af58a046a5bc71c9937f1c6ca7d1db4f1ff0fe8bac2c2

Download Submit
\Users\Admin\Saved Games\Plague\winmgr.exe

MD5
36f100f5caa28c779b8c04545c4a1dec

SHA1
ea63760f2431df52437fccb5ff52687cb2db5b80

SHA256
f0d8b33a2eea7cf381d26bece74e780ca64efa335bc8f53742e24a65014a92db

SHA512
e38650709a9382016fd618b27e310a0ff0bd1cb8a878555f48936eddfb9f750849ad832392311bd65ed836605e977da13bbe88a9dac71ffd319014032b2201eb

Download Submit
\Users\Admin\Saved Games\Plague\winmgr.exe

MD5
36f100f5caa28c779b8c04545c4a1dec

SHA1
ea63760f2431df52437fccb5ff52687cb2db5b80

SHA256
f0d8b33a2eea7cf381d26bece74e780ca64efa335bc8f53742e24a65014a92db

SHA512
e38650709a9382016fd618b27e310a0ff0bd1cb8a878555f48936eddfb9f750849ad832392311bd65ed836605e977da13bbe88a9dac71ffd319014032b2201eb

Download Submit
memory/752-50-0x0000000000000000-mapping.dmp

Download
memory/824-115-0x000000001AA80000-0x000000001AA82000-memory.dmp

Filesize
8KB

Download
memory/824-101-0x0000000000000000-mapping.dmp

Download
memory/824-104-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

Filesize
9.9MB

Download
memory/824-113-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/920-56-0x0000000000000000-mapping.dmp

Download
memory/944-53-0x0000000000000000-mapping.dmp

Download
memory/988-60-0x0000000000000000-mapping.dmp

Download
memory/1044-106-0x0000000000000000-mapping.dmp

Download
memory/1360-44-0x0000000000000000-mapping.dmp

Download
memory/1512-15-0x0000000000000000-mapping.dmp

Download
memory/1576-62-0x0000000000000000-mapping.dmp

Download
memory/1596-47-0x0000000000000000-mapping.dmp

Download
memory/1648-59-0x0000000000000000-mapping.dmp

Download
memory/1660-22-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/1660-40-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/1660-24-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1660-23-0x0000000004712000-0x0000000004713000-memory.dmp

Filesize
4KB

Download
memory/1660-32-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1660-21-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1660-20-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1660-19-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1660-18-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-16-0x0000000000000000-mapping.dmp

Download
memory/1660-33-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1660-27-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1660-49-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1696-13-0x00000000045D4000-0x00000000045D5000-memory.dmp

Filesize
4KB

Download
memory/1696-12-0x00000000045D3000-0x00000000045D4000-memory.dmp

Filesize
4KB

Download
memory/1696-10-0x00000000045D1000-0x00000000045D2000-memory.dmp

Filesize
4KB

Download
memory/1696-11-0x00000000045D2000-0x00000000045D3000-memory.dmp

Filesize
4KB

Download
memory/1696-8-0x00000000044D0000-0x000000000453A000-memory.dmp

Filesize
424KB

Download
memory/1696-6-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1696-7-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1696-4-0x000000000040188B-mapping.dmp

Download
memory/1696-14-0x0000000005100000-0x0000000005107000-memory.dmp

Filesize
28KB

Download
memory/1796-89-0x000000000040188B-mapping.dmp

Download
memory/1796-94-0x0000000004A70000-0x0000000004C63000-memory.dmp

Filesize
1.9MB

Download
memory/1796-98-0x0000000004833000-0x0000000004834000-memory.dmp

Filesize
4KB

Download
memory/1796-97-0x0000000004832000-0x0000000004833000-memory.dmp

Filesize
4KB

Download
memory/1796-96-0x0000000004831000-0x0000000004832000-memory.dmp

Filesize
4KB

Download
memory/1796-99-0x0000000004834000-0x0000000004835000-memory.dmp

Filesize
4KB

Download
memory/1796-93-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1796-92-0x0000000000400000-0x0000000000609000-memory.dmp

Filesize
2.0MB

Download
memory/1836-87-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/1836-83-0x0000000000000000-mapping.dmp

Download
memory/2008-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download
memory/2012-80-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/2012-72-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2012-71-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/2012-70-0x0000000004832000-0x0000000004833000-memory.dmp

Filesize
4KB

Download
memory/2012-69-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/2012-68-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2012-67-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2012-66-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-63-0x0000000000000000-mapping.dmp

Download