Analysis Overview
SHA256
90a58064c6df293fc564fa5b616c737f6fd31f6288433da2030ec56d6dc46962
Threat Level: Known bad
The file Loader.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Detect Xworm Payload
Xworm
AsyncRat
Async RAT payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 21:53
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 21:53
Reported
2024-06-27 22:11
Platform
win10v2004-20240611-en
Max time kernel
1048s
Max time network
1051s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bdFTwtTITOXv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3WC4HVPjWfqf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bdFTwtTITOXv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhlp32 = "\"C:\\Windows\\winhlp32.exe\"" | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\3WC4HVPjWfqf.exe
"C:\Users\Admin\AppData\Local\Temp\3WC4HVPjWfqf.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$773WC4HVPjWfqf.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\3WC4HVPjWfqf.exe'" /sc onlogon /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\bdFTwtTITOXv.exe
"C:\Users\Admin\AppData\Local\Temp\bdFTwtTITOXv.exe"
C:\Users\Admin\AppData\Local\Temp\Part1.exe
"C:\Users\Admin\AppData\Local\Temp\Part1.exe"
C:\Users\Admin\AppData\Local\Temp\Part2.exe
"C:\Users\Admin\AppData\Local\Temp\Part2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | feel-barcelona.gl.at.ply.gg | udp |
| US | 147.185.221.20:47655 | feel-barcelona.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.20:47655 | feel-barcelona.gl.at.ply.gg | tcp |
| US | 147.185.221.20:47655 | feel-barcelona.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | feel-barcelona.gl.at.ply.gg | udp |
| US | 147.185.221.20:47655 | feel-barcelona.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 147.185.221.20:27116 | stop-largely.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 147.185.221.20:25844 | finally-grande.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.156:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 156.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | head-experimental.gl.at.ply.gg | udp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | super-nearest.gl.at.ply.gg | udp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.95:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 95.145.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:47655 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:47655 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:47655 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | super-nearest.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.9:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | feel-barcelona.gl.at.ply.gg | udp |
| US | 147.185.221.20:47655 | feel-barcelona.gl.at.ply.gg | tcp |
| US | 145.14.145.9:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:27116 | feel-barcelona.gl.at.ply.gg | tcp |
| US | 145.14.145.9:443 | wiznon.000webhostapp.com | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 145.14.145.9:443 | wiznon.000webhostapp.com | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:47655 | feel-barcelona.gl.at.ply.gg | tcp |
| US | 145.14.145.9:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 147.185.221.20:27116 | stop-largely.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 145.14.145.9:443 | wiznon.000webhostapp.com | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.198:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 198.144.14.145.in-addr.arpa | udp |
| US | 147.185.221.20:47655 | stop-largely.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | stop-largely.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:47655 | stop-largely.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | stop-largely.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | head-experimental.gl.at.ply.gg | udp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | head-experimental.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:27116 | head-experimental.gl.at.ply.gg | tcp |
| US | 145.14.144.122:443 | wiznon.000webhostapp.com | tcp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 145.14.144.122:443 | wiznon.000webhostapp.com | tcp |
| US | 147.185.221.20:46178 | head-experimental.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
Files
memory/2340-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp
memory/2340-1-0x0000000000060000-0x00000000000CC000-memory.dmp
memory/2340-2-0x0000000004FA0000-0x0000000005544000-memory.dmp
memory/2340-3-0x0000000004B80000-0x0000000004C12000-memory.dmp
memory/2340-4-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/2340-5-0x0000000004AE0000-0x0000000004B46000-memory.dmp
memory/2340-6-0x0000000005930000-0x0000000005942000-memory.dmp
memory/2340-7-0x0000000005E70000-0x0000000005EAC000-memory.dmp
memory/2340-9-0x00000000065B0000-0x00000000065BA000-memory.dmp
memory/2340-10-0x0000000074F2E000-0x0000000074F2F000-memory.dmp
memory/2340-11-0x0000000074F20000-0x00000000756D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3WC4HVPjWfqf.exe
| MD5 | 624f2865b5700644a3564513f98333e7 |
| SHA1 | fc869f7a84d4fb8b6346197a52b63c873836cdd3 |
| SHA256 | 2b67b212d34b8dd47d9406af534bcbc924294f20e51e8d4ba8f503e5b6a3503e |
| SHA512 | 8fdf785643e144128ddb6da7285bc616e63e78d97ef8894cbc84356c48a2ccda5cbfa31d7d458eea27ab0a1e3f027f265bbd9c6a334c5c3946e0a6b81c121b6f |
C:\Users\Admin\AppData\Local\Temp\3WC4HVPjWfqf.exe
| MD5 | dbd5cc9b445778ac6729b2a5b2b50d07 |
| SHA1 | cc93a18c9572c1e3847e9130458a69d5b203f20d |
| SHA256 | 539db15684c8e0f92f8d0a44b540e2df462aaca18dc7a7ce671e011682ccea10 |
| SHA512 | 4a0c03ed12296d95a539e00df75e98670341f0fd9c6f14c319608f03331c2759635adc30aab9576f0704156236e5c57e461cdb2e6b0cb1134410b670fe7874a0 |
memory/2740-23-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/2740-22-0x0000000000B40000-0x0000000000BAC000-memory.dmp
memory/2740-24-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/2740-26-0x0000000074F20000-0x00000000756D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bdFTwtTITOXv.exe
| MD5 | a7f90eed868ae4c7c63dcedc32edb0ba |
| SHA1 | da0b41f16b598f71c6b767d2c11eabadc3ea07f6 |
| SHA256 | 348e6ddea03a8cab0a5cd1f4679adb280901bdf3276d3851a5901977aa7e2399 |
| SHA512 | 47fa663e3e1180d8f2ba7134c3db09bb22339649054a6e923739c8362757cb62ea3e512d88ea2503013845eb40270e94ea129876815a22332bef7d4b81132573 |
C:\Users\Admin\AppData\Local\Temp\bdFTwtTITOXv.exe
| MD5 | 457143901d9ca2f0bc836c1dd1faefe3 |
| SHA1 | 11e554dcfca0dd51c5bfe92d35b9c13b21b81691 |
| SHA256 | cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26 |
| SHA512 | 0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0 |
memory/2440-42-0x0000000000560000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part1.exe
| MD5 | e35a7249966beef31a45272c53e06727 |
| SHA1 | cc54648f9c9423f7a625e96256c608791b1ab275 |
| SHA256 | ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998 |
| SHA512 | 1dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114 |
memory/5196-62-0x00000000001D0000-0x00000000001E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part2.exe
| MD5 | c47c0d681b491091209c54147c33da81 |
| SHA1 | 58cb51be41aa576ce56d4c16c9c443e70e648f62 |
| SHA256 | 429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720 |
| SHA512 | f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c |
memory/3764-67-0x00000000008A0000-0x000000000094C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
| MD5 | 092a0c6fe885844fd74947e64e7fc11e |
| SHA1 | bfe46f64f36f2e927d862a1a787f146ed2c01219 |
| SHA256 | 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2 |
| SHA512 | 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0 |
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
| MD5 | e10c7425705b2bd3214fa96247ee21c4 |
| SHA1 | 7603536b97ab6337fa023bafcf80579c2b4059e6 |
| SHA256 | 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4 |
| SHA512 | 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d |
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
| MD5 | 27fe9341167a34f606b800303ac54b1f |
| SHA1 | 86373d218b48361bff1c23ddd08b6ab1803a51d0 |
| SHA256 | 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d |
| SHA512 | 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0 |
memory/2880-98-0x0000000000820000-0x0000000000838000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
| MD5 | 1f1b23752df3d29e7604ba52aea85862 |
| SHA1 | bb582c6cf022098b171c4c9c7318a51de29ebcf4 |
| SHA256 | 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960 |
| SHA512 | d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde |
memory/5876-122-0x0000000000EF0000-0x0000000000F06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
| MD5 | 4daae2de5a31125d02b057c1ff18d58f |
| SHA1 | e1d603edfcc150a4718e2916ae3dda3aa9548dc8 |
| SHA256 | 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f |
| SHA512 | 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a |
memory/3596-124-0x0000000000B10000-0x0000000000B2A000-memory.dmp
memory/1464-100-0x0000000000940000-0x00000000009AC000-memory.dmp
memory/3036-128-0x0000000000760000-0x000000000076E000-memory.dmp
memory/3036-129-0x0000000002820000-0x0000000002830000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 5dc17b4e2aa1806cef61cdeaefe07305 |
| SHA1 | 0318e98212510e5a37455529d9f19fbcaa2bf27a |
| SHA256 | 50a79c79d6fd45cf58302a6254f85ec6317917b52160dc4631b972145b84d7e6 |
| SHA512 | 8ce60c1cbbe0d6624111dce9ccec0d3102516c197c336ffaeb827c03710cf0a1078e8df2ac499223aeb284d76c796adbf2edb768fc2fc98d7d640964a1726def |
memory/32-132-0x00000125C2C20000-0x00000125C2C42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tze3nktw.m3a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c740b7699e2363ac4ecdf496520ca35 |
| SHA1 | aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9 |
| SHA256 | be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61 |
| SHA512 | 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbb22d95851b93abf2afe8fb96a8e544 |
| SHA1 | 920ec5fdb323537bcf78f7e29a4fc274e657f7a4 |
| SHA256 | e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465 |
| SHA512 | 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cc19bcff372d20459d3651ba8aef50e7 |
| SHA1 | 3c6f1d4cdd647864fb97a16b1aefba67fcee11f7 |
| SHA256 | 366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9 |
| SHA512 | a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080 |
memory/2880-200-0x000000001C480000-0x000000001C48E000-memory.dmp
memory/5196-201-0x000000001D830000-0x000000001DB80000-memory.dmp