Malware Analysis Report

2024-10-19 06:56

Sample ID 240628-ebs61ascpr
Target 2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid
SHA256 859e715607c56783ca86527dc6e6696d741030b10d9c17a911ddf933d6ebe4ac
Tags
asyncrat default rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

859e715607c56783ca86527dc6e6696d741030b10d9c17a911ddf933d6ebe4ac

Threat Level: Known bad

The file 2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat upx

AsyncRat

Async RAT payload

Checks computer location settings

UPX packed file

Executes dropped EXE

Unsigned PE

Program crash

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 03:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 03:46

Reported

2024-06-28 03:48

Platform

win7-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe C:\Client.exe
PID 1724 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe C:\Client.exe
PID 1724 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe C:\Client.exe
PID 1724 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe C:\Client.exe
PID 1512 wrote to memory of 2896 N/A C:\Client.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 2896 N/A C:\Client.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 2896 N/A C:\Client.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 532 N/A C:\Client.exe C:\Windows\system32\cmd.exe
PID 1512 wrote to memory of 532 N/A C:\Client.exe C:\Windows\system32\cmd.exe
PID 1512 wrote to memory of 532 N/A C:\Client.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 1264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 1264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 1264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 532 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 532 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 532 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1724 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe C:\Windows\SysWOW64\WerFault.exe
PID 532 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WriteFile.exe
PID 532 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WriteFile.exe
PID 532 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WriteFile.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe"

C:\Client.exe

"C:\Client.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WriteFile" /tr '"C:\Users\Admin\AppData\Roaming\WriteFile.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WriteFile" /tr '"C:\Users\Admin\AppData\Roaming\WriteFile.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 900

C:\Users\Admin\AppData\Roaming\WriteFile.exe

"C:\Users\Admin\AppData\Roaming\WriteFile.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.188:80 www.baidu.com tcp
US 8.8.8.8:53 quan.suning.com udp
CN 111.48.137.146:80 quan.suning.com tcp
CN 113.219.164.134:80 quan.suning.com tcp
CN 123.6.124.12:80 quan.suning.com tcp
CN 116.162.91.8:80 quan.suning.com tcp
CN 61.184.11.92:80 quan.suning.com tcp
CN 111.6.201.100:80 quan.suning.com tcp
US 8.8.8.8:53 allay.f3322.net udp

Files

memory/1724-4-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-5-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-15-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-35-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-50-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-48-0x0000000068CD0000-0x0000000068CDF000-memory.dmp

memory/1724-47-0x0000000010000000-0x000000001003C000-memory.dmp

C:\Client.exe

MD5 91b01e99b841549fb21482b956ac78cf
SHA1 82d240f2c2ae343f4d7c6fd37af7e41374935a5f
SHA256 6036f85e4763107b83190d95294b87202d451a2548f4b90cc862ea81f269c0db
SHA512 10acfdd4d14ca93b2b05932b16b4940afff020aa18f6ded0799749e0f793f8fc94874cf5e55fb2acf041e233cc0bedcc272cadfbb5d4516f9abdcd6ef18d9b0a

memory/1724-45-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-43-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-41-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-39-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-37-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-34-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-31-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-29-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-27-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-25-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-23-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-22-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-19-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-17-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-13-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-11-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-9-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-7-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1724-6-0x0000000010000000-0x000000001003C000-memory.dmp

memory/1512-55-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

memory/1512-56-0x0000000000340000-0x0000000000358000-memory.dmp

memory/1512-58-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.bat

MD5 5f12931ee34223acd6f79b23bc954acf
SHA1 c6dd29a0ed66146bfe89c72436d4ffa7e3e4fdf6
SHA256 7b23567aada09f881c4b4ff6e08c4553b133c273565aa17f4ba05ab946af0403
SHA512 1bde74248b5e63578fc8ffa6a1e183e9ee1d18e7e73f48aee3d8673b2f4dfd0f9c0495fd3c2c6aba827ea89ab8fbc3556676205097f803e9d06bf85ebaa95924

memory/1512-67-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

memory/1512-69-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

memory/564-73-0x0000000001180000-0x0000000001198000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 03:46

Reported

2024-06-28 03:48

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WriteFile.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-28_15580dae4a38e0ee4581c1cb3b1d98eb_asyncrat_icedid.exe"

C:\Client.exe

"C:\Client.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1744

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WriteFile" /tr '"C:\Users\Admin\AppData\Roaming\WriteFile.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7782.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WriteFile" /tr '"C:\Users\Admin\AppData\Roaming\WriteFile.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\WriteFile.exe

"C:\Users\Admin\AppData\Roaming\WriteFile.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 allay.f3322.net udp
US 8.8.8.8:53 allay.f3322.net udp
US 8.8.8.8:53 allay.f3322.net udp
US 8.8.8.8:53 allay.f3322.net udp
US 8.8.8.8:53 allay.f3322.net udp
US 8.8.8.8:53 allay.f3322.net udp
US 8.8.8.8:53 allay.f3322.net udp
US 8.8.8.8:53 allay.f3322.net udp

Files

memory/4344-0-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-36-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-42-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-45-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-40-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-38-0x0000000010000000-0x000000001003C000-memory.dmp

C:\Client.exe

MD5 91b01e99b841549fb21482b956ac78cf
SHA1 82d240f2c2ae343f4d7c6fd37af7e41374935a5f
SHA256 6036f85e4763107b83190d95294b87202d451a2548f4b90cc862ea81f269c0db
SHA512 10acfdd4d14ca93b2b05932b16b4940afff020aa18f6ded0799749e0f793f8fc94874cf5e55fb2acf041e233cc0bedcc272cadfbb5d4516f9abdcd6ef18d9b0a

memory/4864-57-0x0000000000D70000-0x0000000000D88000-memory.dmp

memory/4864-56-0x00007FFF98443000-0x00007FFF98445000-memory.dmp

memory/4344-34-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4864-59-0x00007FFF98440000-0x00007FFF98F01000-memory.dmp

memory/4344-32-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-30-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-28-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-26-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-24-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-23-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-21-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-18-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-16-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-14-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-12-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-10-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-8-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-6-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-4-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-43-0x0000000068CD0000-0x0000000068CDF000-memory.dmp

memory/4344-1-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4344-2-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4864-64-0x00007FFF98440000-0x00007FFF98F01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7782.tmp.bat

MD5 49ca141bbe17a503b7ed5da2f7e9898c
SHA1 2e11c6b1c06ae2858e32591922723c997b8557f1
SHA256 576e281ba36a661f7c66d09594729de680f3de83705047cbe1fe22a0b4b9c213
SHA512 28bed7fb5a191c01fc7c8c67b7d04acb8b95fd279dd79385f0d4cfd33d30033062c8d73127bcae1f44752cd846d3854fca6787184acbafc3910453c64f9dabc5

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b