Malware Analysis Report

2025-08-06 03:44

Sample ID 230501-j9kdzaeg74
Target B.PNG.ps1
SHA256 e2e4ce0315ef9f241c5d3ab09ccc9de3f8bd71f5388d8a4dd7fadd0a1110f266
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2e4ce0315ef9f241c5d3ab09ccc9de3f8bd71f5388d8a4dd7fadd0a1110f266

Threat Level: Known bad

The file B.PNG.ps1 was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 08:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 08:22

Reported

2023-05-01 08:24

Platform

win7-20230220-en

Max time kernel

124s

Max time network

33s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.PNG.ps1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 888 wrote to memory of 756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 888 wrote to memory of 756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 888 wrote to memory of 756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1488 wrote to memory of 676 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 676 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 676 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe
PID 676 wrote to memory of 708 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 676 wrote to memory of 708 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 676 wrote to memory of 708 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 708 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 708 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 708 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 664 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe
PID 1488 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WScript.exe
PID 1952 wrote to memory of 1992 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 1992 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 1992 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1992 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1680 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.PNG.ps1

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn Nothing /tr C:\ProgramData\Nothing\Nothing.vbs

C:\Windows\system32\taskeng.exe

taskeng.exe {96A0FE4B-C7EF-4F64-B5FA-23AF4A9C1D89} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\ProgramData\Nothing\1.bat" "

C:\Windows\system32\cmd.exe

CMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\ProgramData\Nothing\1.bat" "

C:\Windows\system32\cmd.exe

CMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"

Network

N/A

Files

memory/888-58-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

memory/888-59-0x0000000002310000-0x0000000002318000-memory.dmp

memory/888-60-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/888-61-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/888-62-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/888-63-0x0000000002750000-0x00000000027D0000-memory.dmp

C:\ProgramData\Nothing\Nothing.vbs

MD5 617f5a86804776b6e4153709d03fd144
SHA1 2abe924e3ada5b487a9a67ee22e8e1c21a47b516
SHA256 b582e1508d3cc895cbb37a547a770a62e1c02ec555265f7bd231c734127b3867
SHA512 a40b25239589f3029a837077c639633e966f69c6c4096db1cad526e849fd5a44bef01270dc4f20049829ed8e85f1fae3e6e0b3d4be8c049d7c974df958136842

C:\ProgramData\Nothing\1.bat

MD5 2135f53fe669b95ef3dfc8159f002f35
SHA1 784f7c804a8017298a0444961da570c54e234128
SHA256 a012ee5f76492bcf0a72c415f098d0a0e21ea28f3a08e179089ed74ec1051134
SHA512 6115083a87f84bbbd28607c407324539c9ae5e6834c6d18404ed516f993ab4f7fedb246c192257183dc429bf2a23b84c81fa52e608a3486666a0ecd001614b92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f38b34292f21c48f9c8bb29f52996958
SHA1 5e6855b407b86d8b8037257e9136f455191c0f37
SHA256 a12d6c5d38997595ca51f04c06644b535d61d0ca8edfa2dd1330b0ccbf393e17
SHA512 c0118d98c11e68c0116f649a69e92c791fbd0cfffe94f2fb089af51c2ec3e5e31edf748320be7d4695c18294fb465fd75be35e9157342eaf69e793f3d0f2c5cc

memory/1004-76-0x000000001B280000-0x000000001B562000-memory.dmp

memory/1004-77-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/1004-78-0x0000000001ED0000-0x0000000001F50000-memory.dmp

memory/1004-80-0x0000000001ED0000-0x0000000001F50000-memory.dmp

memory/1004-79-0x0000000001ED0000-0x0000000001F50000-memory.dmp

C:\ProgramData\Nothing\Nothing.ps1

MD5 633e2bd5aad471f331d308b70df2cde7
SHA1 187f14b57103beffada3b283eeba4f528a466b00
SHA256 d1e4eab2f9cb99e6d3fcf39b82bfcf7cdc216cd355570b8305c15877889afcea
SHA512 7c36819998154344f6ae6c68b2f72d559fd92a088fd4a96c30b75727310cdcf36b4f42dc57f66a4e438ff1cac1fa121479e7d20630b7ddfdc1ebb520b343fb80

memory/1004-82-0x0000000001ED0000-0x0000000001F50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d07e097d008a8343054dd7e2f4585475
SHA1 d35cccb156bf9977b02561137a63028bd1102cdf
SHA256 64e5b405fceae8bb16d1481f40a2e5ca22bc5a64468a3fd6576ad45e15d4050a
SHA512 c49ab6dd37ed1cd77e289127b27eaf1c5d998ca750ecb28dca20199115a954e5290e7ac3d8cf95778b7de276f026b8ba91da9f0d7b80948ca60703624cb491bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J5H186Z0T0KT7TF0FZJ7.temp

MD5 d07e097d008a8343054dd7e2f4585475
SHA1 d35cccb156bf9977b02561137a63028bd1102cdf
SHA256 64e5b405fceae8bb16d1481f40a2e5ca22bc5a64468a3fd6576ad45e15d4050a
SHA512 c49ab6dd37ed1cd77e289127b27eaf1c5d998ca750ecb28dca20199115a954e5290e7ac3d8cf95778b7de276f026b8ba91da9f0d7b80948ca60703624cb491bd

memory/1704-88-0x0000000002714000-0x0000000002717000-memory.dmp

memory/1704-89-0x000000000271B000-0x0000000002752000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 08:22

Reported

2023-05-01 08:24

Platform

win10v2004-20230220-en

Max time kernel

130s

Max time network

146s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.PNG.ps1

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 4656 wrote to memory of 408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 4700 wrote to memory of 4084 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 4084 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4084 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4084 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1472 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5056 wrote to memory of 1952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 1952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 1952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 3372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 3372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 3372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 3372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 3372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 3372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 3372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5056 wrote to memory of 3372 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 964 wrote to memory of 4952 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 964 wrote to memory of 4952 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4588 wrote to memory of 3908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 1800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.PNG.ps1

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn Nothing /tr C:\ProgramData\Nothing\Nothing.vbs

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Nothing\1.bat" "

C:\Windows\system32\cmd.exe

CMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Nothing\1.bat" "

C:\Windows\system32\cmd.exe

CMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 52.168.112.66:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 254.166.241.8.in-addr.arpa udp
US 8.8.8.8:53 Modyhr.ddnsfree.com udp
US 45.80.158.121:7707 Modyhr.ddnsfree.com tcp
US 8.8.8.8:53 121.158.80.45.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qmr1y0s5.afd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4656-142-0x0000028E88620000-0x0000028E88642000-memory.dmp

memory/4656-143-0x0000028E88460000-0x0000028E88470000-memory.dmp

memory/4656-144-0x0000028E88460000-0x0000028E88470000-memory.dmp

memory/4656-145-0x0000028E88460000-0x0000028E88470000-memory.dmp

memory/4656-150-0x0000028E88460000-0x0000028E88470000-memory.dmp

memory/4656-151-0x0000028E88460000-0x0000028E88470000-memory.dmp

memory/4656-152-0x0000028E88460000-0x0000028E88470000-memory.dmp

C:\ProgramData\Nothing\Nothing.vbs

MD5 617f5a86804776b6e4153709d03fd144
SHA1 2abe924e3ada5b487a9a67ee22e8e1c21a47b516
SHA256 b582e1508d3cc895cbb37a547a770a62e1c02ec555265f7bd231c734127b3867
SHA512 a40b25239589f3029a837077c639633e966f69c6c4096db1cad526e849fd5a44bef01270dc4f20049829ed8e85f1fae3e6e0b3d4be8c049d7c974df958136842

C:\ProgramData\Nothing\1.bat

MD5 2135f53fe669b95ef3dfc8159f002f35
SHA1 784f7c804a8017298a0444961da570c54e234128
SHA256 a012ee5f76492bcf0a72c415f098d0a0e21ea28f3a08e179089ed74ec1051134
SHA512 6115083a87f84bbbd28607c407324539c9ae5e6834c6d18404ed516f993ab4f7fedb246c192257183dc429bf2a23b84c81fa52e608a3486666a0ecd001614b92

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 223bd4ae02766ddc32e6145fd1a29301
SHA1 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA256 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3003448ee73abf14d5c8011a37c40600
SHA1 b88e9cdbae2e27a25f0858fc0b6d79533fb160d8
SHA256 ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a
SHA512 0fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a

C:\ProgramData\Nothing\Nothing.ps1

MD5 633e2bd5aad471f331d308b70df2cde7
SHA1 187f14b57103beffada3b283eeba4f528a466b00
SHA256 d1e4eab2f9cb99e6d3fcf39b82bfcf7cdc216cd355570b8305c15877889afcea
SHA512 7c36819998154344f6ae6c68b2f72d559fd92a088fd4a96c30b75727310cdcf36b4f42dc57f66a4e438ff1cac1fa121479e7d20630b7ddfdc1ebb520b343fb80

memory/5056-170-0x0000026446400000-0x0000026446410000-memory.dmp

memory/5056-171-0x0000026446400000-0x0000026446410000-memory.dmp

memory/5056-172-0x0000026446400000-0x0000026446410000-memory.dmp

memory/3372-173-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3372-175-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/3372-176-0x0000000005F80000-0x0000000006524000-memory.dmp

memory/3372-177-0x0000000005B70000-0x0000000005C02000-memory.dmp

memory/3372-178-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

memory/3372-179-0x0000000006670000-0x000000000670C000-memory.dmp

memory/3372-180-0x0000000006710000-0x0000000006776000-memory.dmp

memory/3372-181-0x00000000057C0000-0x00000000057D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb7666e5e5cad13b3a781f3d2eb0d24f
SHA1 6578ad7f4f59ebd771a1351cc3df7f87d471b033
SHA256 cafff50a0d49b0a3770acc5c5d4433f5ad01f1a7d5479484912c8e9664880137
SHA512 ffc2b6a5730ef07f907b8c2617388ac2d2abb4cd0035a4baf086eb3a8c62bb5da16259387f3d64e803fbac9e243a611efca12462c2b98449826b10787b740b04

memory/3908-192-0x0000022A6A1F0000-0x0000022A6A200000-memory.dmp

memory/3908-193-0x0000022A6A1F0000-0x0000022A6A200000-memory.dmp

memory/3908-194-0x0000022A6A1F0000-0x0000022A6A200000-memory.dmp

memory/1800-197-0x0000000004DA0000-0x0000000004DB0000-memory.dmp