Malware Analysis Report

2025-06-16 02:14

Sample ID 240125-r515xshec3
Target client.exe
SHA256 4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56

Threat Level: Known bad

The file client.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

AsyncRat

Async RAT payload

Asyncrat family

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 14:47

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 14:47

Reported

2024-01-25 14:50

Platform

win7-20231215-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Windows\System32\cmd.exe
PID 2944 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Windows\System32\cmd.exe
PID 2944 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Windows\System32\cmd.exe
PID 2944 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Windows\system32\cmd.exe
PID 2944 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Windows\system32\cmd.exe
PID 2944 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2792 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2792 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2316 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2316 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2316 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2792 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chromeupdate.exe
PID 2792 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chromeupdate.exe
PID 2792 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\chromeupdate.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\client.exe

"C:\Users\Admin\AppData\Local\Temp\client.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F11.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'

C:\Users\Admin\AppData\Roaming\chromeupdate.exe

"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"

Network

Country Destination Domain Proto
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp

Files

memory/2944-0-0x0000000001240000-0x0000000001258000-memory.dmp

memory/2944-1-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

memory/2944-3-0x000000001ADF0000-0x000000001AE70000-memory.dmp

memory/2944-8-0x0000000077080000-0x0000000077229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5F11.tmp.bat

MD5 9939a4bc8388d70b708ab7e0f2a3757e
SHA1 d18fd1e5f2d974dba43f7644c29416f0c6a82005
SHA256 1cce710732f8041f379bb92b9594b79851bac02a2005b7ab166e6e9ba3e5ddc3
SHA512 97c8613d0501c2a46df171b5485adbb365d2d969834dae9fef00e1740d647c3e2087211c624ae4f300e966e3c1a31037e5339bb89ff34966a99dfe8c90e8b5d1

memory/2944-14-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

memory/2944-15-0x0000000077080000-0x0000000077229000-memory.dmp

C:\Users\Admin\AppData\Roaming\chromeupdate.exe

MD5 25b6389bbaa746df85d53714d4a6d477
SHA1 86e6443e902f180f32fb434e06ecf45d484582e3
SHA256 4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
SHA512 6ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4

memory/2680-19-0x0000000000CE0000-0x0000000000CF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2680-21-0x000007FEF4A50000-0x000007FEF543C000-memory.dmp

memory/2680-22-0x0000000002180000-0x0000000002200000-memory.dmp

memory/2680-23-0x0000000077080000-0x0000000077229000-memory.dmp

memory/2680-24-0x000007FEF4A50000-0x000007FEF543C000-memory.dmp

memory/2680-25-0x0000000002180000-0x0000000002200000-memory.dmp

memory/2680-26-0x0000000077080000-0x0000000077229000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 14:47

Reported

2024-01-25 14:50

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\chromeupdate.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\client.exe

"C:\Users\Admin\AppData\Local\Temp\client.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8FAD.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\chromeupdate.exe

"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
GB 96.16.110.41:443 tcp
SE 192.229.221.95:80 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
BG 93.123.39.68:4449 tcp
BG 93.123.39.68:4449 tcp

Files

memory/3580-0-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

memory/3580-2-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

memory/3580-3-0x000000001BC10000-0x000000001BC20000-memory.dmp

memory/3580-8-0x00007FFCCE090000-0x00007FFCCE285000-memory.dmp

memory/3580-9-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8FAD.tmp.bat

MD5 8bfdf7b87a8dcf50433efafb70e6b794
SHA1 e89a49742dc2d4bf7148f13ae600501c7386b523
SHA256 fe8d831850f9cfc50c6991722ea7a8552340ee3cd588252bc8f34e430d09ecba
SHA512 2eff1988befa3327e70d4718ecd4f0a820e6b8f3c40c041112513bdae2330bca633f2e1ebad71da2c2a4c0ad38096cc3e70f78d56d3bcf11718a43b6816faf31

C:\Users\Admin\AppData\Roaming\chromeupdate.exe

MD5 25b6389bbaa746df85d53714d4a6d477
SHA1 86e6443e902f180f32fb434e06ecf45d484582e3
SHA256 4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
SHA512 6ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/4508-15-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

memory/4508-16-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/4508-17-0x00007FFCAF740000-0x00007FFCB0201000-memory.dmp

memory/4508-18-0x0000000002D60000-0x0000000002D70000-memory.dmp