Analysis Overview
SHA256
9d6a0c6c2e07cb1544f3fc1a7d7353cb42c122cb529d0e910ab65975196402cc
Threat Level: Known bad
The file 9d6a0c6c2e07cb1544f3fc1a7d7353cb42c122cb529d0e910ab65975196402cc was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 13:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 13:10
Reported
2024-04-17 13:12
Platform
win7-20240221-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
AsyncRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2960 set thread context of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe |
| PID 676 set thread context of 1752 | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | C:\Users\Admin\AppData\Roaming\msdtc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA709.tmp"
C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBE9E.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B00.tmp"
C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
Network
| Country | Destination | Domain | Proto |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp |
Files
memory/2960-1-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/2960-0-0x0000000000D00000-0x0000000000D74000-memory.dmp
memory/2960-2-0x0000000004D10000-0x0000000004D50000-memory.dmp
memory/2960-3-0x0000000000320000-0x0000000000334000-memory.dmp
memory/2960-4-0x0000000000350000-0x000000000035A000-memory.dmp
memory/2960-5-0x0000000000360000-0x000000000036C000-memory.dmp
memory/2960-6-0x0000000000CB0000-0x0000000000D04000-memory.dmp
memory/2960-7-0x0000000074E30000-0x000000007551E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA709.tmp
| MD5 | 1932843c6cdcb3a7c01029c551e67201 |
| SHA1 | 7b8aed4f6e9596568c06876db80ae7616303a6bd |
| SHA256 | 14a56d320fb17b4bd11f103e6fbe10b618491f11965e3cd3a0d8044fcc5612a3 |
| SHA512 | 6802ea1a79b93faa7adb1d0f6e8fae1ac3859cc3cb43b938bb0c272003ff1356dbb98427b79ec665a7d1903b51d79f362886d4f74a1d2f86b4e41a7f46b89b5f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F8NYMYDH0DTXO3GWG075.temp
| MD5 | 0e0d26cb62e8a545f48bd44a7d85eb81 |
| SHA1 | 9ea42d82ece8f933c5233792873a29bfec8122a8 |
| SHA256 | 16b0421108933ed478b761b7b2425a1cc2f708c11d774288573979b3cbdeac77 |
| SHA512 | fe359498e4e032d16931ee48e0b902513813e81afb7c15ea50c063452f9480130820eea2fb42b4ed6d3cbca16830c5c7e91cfda3e51c370fcdaadd45b86be319 |
memory/2436-20-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2960-21-0x0000000004D10000-0x0000000004D50000-memory.dmp
memory/2436-22-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2436-23-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2436-24-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2436-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2436-27-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2436-32-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2960-31-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/2436-29-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2992-33-0x000000006FCB0000-0x000000007025B000-memory.dmp
memory/2992-35-0x00000000023C0000-0x0000000002400000-memory.dmp
memory/2628-34-0x000000006FCB0000-0x000000007025B000-memory.dmp
memory/2992-36-0x000000006FCB0000-0x000000007025B000-memory.dmp
memory/2992-38-0x00000000023C0000-0x0000000002400000-memory.dmp
memory/2628-39-0x00000000023B0000-0x00000000023F0000-memory.dmp
memory/2436-37-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/2436-40-0x0000000000AA0000-0x0000000000AE0000-memory.dmp
memory/2628-41-0x000000006FCB0000-0x000000007025B000-memory.dmp
memory/2992-42-0x000000006FCB0000-0x000000007025B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBE9E.tmp.bat
| MD5 | 67ef356a2925832ec6ffa768d6ea2c78 |
| SHA1 | 12361a2b230d80fca2b2d3332b1c5d9668922a14 |
| SHA256 | 3ee2c307ef89808af255da0f796d516ee2fcd215cd3bc6c2f3b337b121b659c5 |
| SHA512 | 977fc7649286292070b19bf852652a7f299c94c473a37d2fd4a5b97343cedde196a5cc44217a138fe495c025b31071b6ea4e376587ef22bff402e55ec600f8c3 |
memory/2436-52-0x0000000074E30000-0x000000007551E000-memory.dmp
\Users\Admin\AppData\Roaming\msdtc.exe
| MD5 | ead981cd98146fabe078992943b0329d |
| SHA1 | a20ba9450187e13e3ed62e6beab4d2bec788df01 |
| SHA256 | fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e |
| SHA512 | a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a |
memory/676-56-0x00000000013B0000-0x0000000001424000-memory.dmp
memory/676-57-0x0000000074DE0000-0x00000000754CE000-memory.dmp
memory/676-58-0x0000000000440000-0x0000000000480000-memory.dmp
memory/676-59-0x0000000000CD0000-0x0000000000D24000-memory.dmp
memory/676-60-0x0000000074DE0000-0x00000000754CE000-memory.dmp
memory/2452-69-0x000000006EFD0000-0x000000006F57B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c3ef1031790b1b6ab3c88d8ea2e3a9ed |
| SHA1 | f5dc679b8f33803e8afaf2a6d7d62fce1c11f117 |
| SHA256 | 843bc60d3e304fa0aa13d29d8053ab04fe79d6448459df01a8250799733c3217 |
| SHA512 | c73ff2e30109c1a23b4d3334089f143b8d0b65be0110c783c913275b3f2a7f3d3720daacb56cc4df88aa71d6ef886142d81614c541cf0421697d162618c3ebc4 |
memory/2452-74-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/2452-76-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/2452-80-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/2452-82-0x00000000026C0000-0x0000000002700000-memory.dmp
memory/1752-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1952-85-0x00000000027F0000-0x0000000002830000-memory.dmp
memory/1952-89-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/1952-91-0x00000000027F0000-0x0000000002830000-memory.dmp
memory/1752-90-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1752-93-0x0000000000400000-0x0000000000412000-memory.dmp
memory/676-94-0x0000000074DE0000-0x00000000754CE000-memory.dmp
memory/1952-95-0x000000006EFD0000-0x000000006F57B000-memory.dmp
memory/2452-96-0x000000006EFD0000-0x000000006F57B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 13:10
Reported
2024-04-17 13:12
Platform
win10v2004-20240412-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
AsyncRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3760 set thread context of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe |
| PID 3340 set thread context of 3812 | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | C:\Users\Admin\AppData\Roaming\msdtc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\msdtc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8D0.tmp"
C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"
C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe
"C:\Users\Admin\AppData\Local\Temp\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1D7.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FITGzizVFD.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FITGzizVFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32E2.tmp"
C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| UA | 194.147.140.157:3361 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| UA | 194.147.140.157:3361 | tcp | |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| UA | 194.147.140.157:3361 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/3760-0-0x0000000074870000-0x0000000075020000-memory.dmp
memory/3760-1-0x0000000000890000-0x0000000000904000-memory.dmp
memory/3760-2-0x0000000005970000-0x0000000005F14000-memory.dmp
memory/3760-3-0x00000000052F0000-0x0000000005382000-memory.dmp
memory/3760-4-0x00000000052D0000-0x00000000052E0000-memory.dmp
memory/3760-5-0x00000000054B0000-0x00000000054BA000-memory.dmp
memory/3760-6-0x00000000058F0000-0x0000000005904000-memory.dmp
memory/3760-7-0x0000000005920000-0x000000000592A000-memory.dmp
memory/3760-8-0x0000000005930000-0x000000000593C000-memory.dmp
memory/3760-9-0x0000000006600000-0x0000000006654000-memory.dmp
memory/3760-10-0x0000000008C40000-0x0000000008CDC000-memory.dmp
memory/3760-11-0x0000000074870000-0x0000000075020000-memory.dmp
memory/3760-16-0x00000000052D0000-0x00000000052E0000-memory.dmp
memory/1532-17-0x0000000004F50000-0x0000000004F86000-memory.dmp
memory/1532-18-0x0000000074870000-0x0000000075020000-memory.dmp
memory/1532-19-0x0000000005710000-0x0000000005D38000-memory.dmp
memory/1148-20-0x0000000074870000-0x0000000075020000-memory.dmp
memory/1148-21-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/1148-22-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/1532-24-0x00000000050D0000-0x00000000050E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB8D0.tmp
| MD5 | cc76898055b19a9816d0f9d966112a2b |
| SHA1 | 0eb865bd7cfbe37652e58ccc778f82e582fc03ba |
| SHA256 | 07553f956e42e2c7822ba99bab8b53f6ef8aa94e58346ad994589af8c68f0b64 |
| SHA512 | d71e8906a05e26df2c3bfc2de96b865dfcd706a3dbab88f88fb43b0da8e16df600600ff4dd8f8223c911cbd1c92d64bcc3d504b6b9d34ffba040761f6ad71c14 |
memory/1532-23-0x00000000050D0000-0x00000000050E0000-memory.dmp
memory/1148-26-0x0000000005140000-0x0000000005162000-memory.dmp
memory/1532-28-0x0000000005EF0000-0x0000000005F56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1lo1omz.aph.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5060-47-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1532-27-0x0000000005E10000-0x0000000005E76000-memory.dmp
memory/1148-48-0x0000000005B60000-0x0000000005EB4000-memory.dmp
memory/5060-49-0x0000000074870000-0x0000000075020000-memory.dmp
memory/3760-51-0x0000000074870000-0x0000000075020000-memory.dmp
memory/1148-52-0x0000000006020000-0x000000000603E000-memory.dmp
memory/1148-53-0x00000000060E0000-0x000000000612C000-memory.dmp
memory/1148-54-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/1532-55-0x00000000050D0000-0x00000000050E0000-memory.dmp
memory/1532-56-0x000000007F870000-0x000000007F880000-memory.dmp
memory/1532-57-0x0000000006AF0000-0x0000000006B22000-memory.dmp
memory/1148-58-0x0000000075120000-0x000000007516C000-memory.dmp
memory/1148-69-0x00000000065E0000-0x00000000065FE000-memory.dmp
memory/1532-68-0x0000000075120000-0x000000007516C000-memory.dmp
memory/1532-79-0x0000000007730000-0x00000000077D3000-memory.dmp
memory/1532-81-0x0000000007E70000-0x00000000084EA000-memory.dmp
memory/1148-80-0x0000000007340000-0x000000000735A000-memory.dmp
memory/1148-82-0x00000000073B0000-0x00000000073BA000-memory.dmp
memory/1532-83-0x0000000007AB0000-0x0000000007B46000-memory.dmp
memory/1532-84-0x0000000007A30000-0x0000000007A41000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/1148-89-0x0000000007570000-0x000000000757E000-memory.dmp
memory/5060-91-0x0000000074870000-0x0000000075020000-memory.dmp
memory/1532-90-0x0000000007A70000-0x0000000007A84000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD1D7.tmp.bat
| MD5 | 06458189843302b8b941a048c6675465 |
| SHA1 | c4ebe5d01917e0c738bf0a4190dd80cf91d1fa4a |
| SHA256 | 0cc40df055554a5f8caaa0a8e4114cd8a4a9bfc1ad11633b10a2896333ac75ca |
| SHA512 | fceb58e7187c336168fab07804fbb3894990d397127af30f0f5a339f4277299276b35baf4a778c0dec7a82452fc653515b9892babc5567d4734be7d4d35100f8 |
memory/1148-93-0x0000000007680000-0x000000000769A000-memory.dmp
memory/1148-94-0x0000000007660000-0x0000000007668000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3e529c353051d245a094ed31e0a9bfb5 |
| SHA1 | e50ba7768527efa7cf2125fb5ff35775a24350b7 |
| SHA256 | e367658c804506edba9b0f8bbb20fc3c1758a1d76bd076b66d301344410dc4e3 |
| SHA512 | 4b02c0c398b9cc48f8709ef9a96476147a89326b63119319656b60acb3f3d69418163cd97aad8ec90710e86a3cfc74551db78c1eb21856b35af103d74640ca96 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1148-100-0x0000000074870000-0x0000000075020000-memory.dmp
memory/1532-101-0x0000000074870000-0x0000000075020000-memory.dmp
C:\Users\Admin\AppData\Roaming\msdtc.exe
| MD5 | ead981cd98146fabe078992943b0329d |
| SHA1 | a20ba9450187e13e3ed62e6beab4d2bec788df01 |
| SHA256 | fafaaff6d67dd5702bf67e82ea12605ddc03797213ee5aaaed48fe6194cfe87e |
| SHA512 | a20fc11777c75d1062c16407b0f77098e93cdfa28afae053fd8671b56afc234c4bce9243dcd516adb95183a8d4aa58dafb850bd54c996c7507b2bf51c0fcb03a |
memory/3340-105-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/3340-106-0x00000000027E0000-0x00000000027F0000-memory.dmp
memory/3340-108-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/324-109-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/324-110-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/324-111-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/1192-112-0x0000000000C90000-0x0000000000CA0000-memory.dmp
memory/1192-114-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/324-126-0x0000000006400000-0x0000000006754000-memory.dmp
memory/3812-128-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/3340-129-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/324-140-0x0000000006EE0000-0x0000000006F2C000-memory.dmp
memory/324-141-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/324-143-0x0000000075160000-0x00000000751AC000-memory.dmp
memory/324-142-0x000000007EFF0000-0x000000007F000000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2310d170d3073d359153effcff4c11ff |
| SHA1 | c82999f1651a2c6f7e3cce447ba85febdf10bd76 |
| SHA256 | 59267b783e32f9273993595cad4153404dea3aadb0854de082b008a294052ab8 |
| SHA512 | 7c2acf3a0c0036a79944f09c331c0ad0c6b7d37d07d4cf8f09191d935d7d6e0b50d92eac1dad2c37612fb13e51f4952286c78fde5023688b1324f08b42e774a2 |