Analysis Overview
SHA256
ee7d4244e534803ab573e663323b3f83dd9924955a13d7b8696692ad93d7216b
Threat Level: Known bad
The file 457143901d9ca2f0bc836c1dd1faefe3.bin was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Xworm
Quasar RAT
Detect Xworm Payload
Quasar payload
Async RAT payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-30 01:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 01:56
Reported
2024-06-30 01:59
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
"C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe"
C:\Users\Admin\AppData\Local\Temp\Part1.exe
"C:\Users\Admin\AppData\Local\Temp\Part1.exe"
C:\Users\Admin\AppData\Local\Temp\Part2.exe
"C:\Users\Admin\AppData\Local\Temp\Part2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGKSTMlSXHue.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SImgBZhsf8FA.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | head-experimental.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | super-nearest.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/2392-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp
memory/2392-1-0x0000000001290000-0x0000000001352000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part1.exe
| MD5 | e35a7249966beef31a45272c53e06727 |
| SHA1 | cc54648f9c9423f7a625e96256c608791b1ab275 |
| SHA256 | ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998 |
| SHA512 | 1dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114 |
memory/2156-9-0x00000000002A0000-0x00000000002B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part2.exe
| MD5 | c47c0d681b491091209c54147c33da81 |
| SHA1 | 58cb51be41aa576ce56d4c16c9c443e70e648f62 |
| SHA256 | 429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720 |
| SHA512 | f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c |
memory/2740-13-0x0000000000060000-0x000000000010C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
| MD5 | 092a0c6fe885844fd74947e64e7fc11e |
| SHA1 | bfe46f64f36f2e927d862a1a787f146ed2c01219 |
| SHA256 | 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2 |
| SHA512 | 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0 |
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
| MD5 | e10c7425705b2bd3214fa96247ee21c4 |
| SHA1 | 7603536b97ab6337fa023bafcf80579c2b4059e6 |
| SHA256 | 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4 |
| SHA512 | 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d |
memory/2720-28-0x0000000000C00000-0x0000000000C18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
| MD5 | 27fe9341167a34f606b800303ac54b1f |
| SHA1 | 86373d218b48361bff1c23ddd08b6ab1803a51d0 |
| SHA256 | 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d |
| SHA512 | 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0 |
memory/2688-37-0x0000000000230000-0x0000000000246000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
| MD5 | 1f1b23752df3d29e7604ba52aea85862 |
| SHA1 | bb582c6cf022098b171c4c9c7318a51de29ebcf4 |
| SHA256 | 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960 |
| SHA512 | d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde |
memory/2736-39-0x00000000000E0000-0x00000000000FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
| MD5 | 4daae2de5a31125d02b057c1ff18d58f |
| SHA1 | e1d603edfcc150a4718e2916ae3dda3aa9548dc8 |
| SHA256 | 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f |
| SHA512 | 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a |
memory/2156-44-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/2640-46-0x0000000000D10000-0x0000000000D7C000-memory.dmp
memory/2540-45-0x0000000000090000-0x000000000009E000-memory.dmp
memory/2540-47-0x00000000002D0000-0x00000000002E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 01:56
Reported
2024-06-30 01:59
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
"C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe"
C:\Users\Admin\AppData\Local\Temp\Part1.exe
"C:\Users\Admin\AppData\Local\Temp\Part1.exe"
C:\Users\Admin\AppData\Local\Temp\Part2.exe
"C:\Users\Admin\AppData\Local\Temp\Part2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB32E.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 147.185.221.20:25844 | finally-grande.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 147.185.221.20:27116 | stop-largely.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 147.185.221.20:25844 | stop-largely.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | head-experimental.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | super-nearest.gl.at.ply.gg | udp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.160:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 160.58.19.162.in-addr.arpa | udp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.249:443 | wiznon.000webhostapp.com | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 249.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 13.107.246.64:443 | tcp | |
| US | 147.185.221.20:17835 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:46178 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 147.185.221.20:27116 | best-bird.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
Files
memory/4064-0-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp
memory/4064-1-0x0000000000510000-0x00000000005D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part1.exe
| MD5 | e35a7249966beef31a45272c53e06727 |
| SHA1 | cc54648f9c9423f7a625e96256c608791b1ab275 |
| SHA256 | ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998 |
| SHA512 | 1dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114 |
memory/4448-16-0x00000000004F0000-0x0000000000508000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part2.exe
| MD5 | c47c0d681b491091209c54147c33da81 |
| SHA1 | 58cb51be41aa576ce56d4c16c9c443e70e648f62 |
| SHA256 | 429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720 |
| SHA512 | f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c |
memory/2604-27-0x00000000006E0000-0x000000000078C000-memory.dmp
memory/4064-26-0x000000001B220000-0x000000001B3C9000-memory.dmp
memory/4448-29-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/2604-30-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
| MD5 | 092a0c6fe885844fd74947e64e7fc11e |
| SHA1 | bfe46f64f36f2e927d862a1a787f146ed2c01219 |
| SHA256 | 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2 |
| SHA512 | 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0 |
memory/2860-44-0x0000000000C70000-0x0000000000C88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
| MD5 | e10c7425705b2bd3214fa96247ee21c4 |
| SHA1 | 7603536b97ab6337fa023bafcf80579c2b4059e6 |
| SHA256 | 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4 |
| SHA512 | 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d |
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
| MD5 | 27fe9341167a34f606b800303ac54b1f |
| SHA1 | 86373d218b48361bff1c23ddd08b6ab1803a51d0 |
| SHA256 | 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d |
| SHA512 | 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0 |
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
| MD5 | 1f1b23752df3d29e7604ba52aea85862 |
| SHA1 | bb582c6cf022098b171c4c9c7318a51de29ebcf4 |
| SHA256 | 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960 |
| SHA512 | d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde |
memory/216-71-0x0000000000640000-0x0000000000656000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
| MD5 | 4daae2de5a31125d02b057c1ff18d58f |
| SHA1 | e1d603edfcc150a4718e2916ae3dda3aa9548dc8 |
| SHA256 | 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f |
| SHA512 | 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a |
memory/3632-86-0x0000000000CA0000-0x0000000000CBA000-memory.dmp
memory/2604-87-0x000000001B300000-0x000000001B4A9000-memory.dmp
memory/2604-88-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/4448-91-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/4392-92-0x00000000004A0000-0x00000000004AE000-memory.dmp
memory/2140-93-0x0000000000C70000-0x0000000000CDC000-memory.dmp
memory/2856-99-0x0000029B6F190000-0x0000029B6F1B2000-memory.dmp
memory/2140-104-0x0000000005B90000-0x0000000006134000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wq4uwbe3.sl3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4392-123-0x0000000000E10000-0x0000000000E20000-memory.dmp
memory/2140-124-0x0000000005720000-0x00000000057B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
memory/2140-153-0x0000000005AC0000-0x0000000005B26000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1f545274ba19d9199a78f74cd05e8187 |
| SHA1 | 4036cf78d3f310af42963c8f16ae27c5922b5dff |
| SHA256 | 3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c |
| SHA512 | b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9451a6b9669d49bd90704dff21beb85 |
| SHA1 | 5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80 |
| SHA256 | b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056 |
| SHA512 | 06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5 |
memory/2140-167-0x00000000066F0000-0x0000000006702000-memory.dmp
memory/2140-168-0x0000000006B30000-0x0000000006B6C000-memory.dmp
memory/2140-170-0x0000000007280000-0x000000000728A000-memory.dmp
memory/2860-171-0x000000001CFA0000-0x000000001CFAE000-memory.dmp
memory/4448-172-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/3632-173-0x0000000002D40000-0x0000000002D4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB32E.tmp.bat
| MD5 | fa27b2e5118a874708c9f3168cc56c1c |
| SHA1 | b55f2f6429f50b144e6468eec989c7a815f5dfd3 |
| SHA256 | 5a67c947e5ea2552960568a02770e18e0a5b839116f4769d6a78b14a4bdde6c8 |
| SHA512 | dd4048645b1c4113cb6cc14e29af544fcd6182c76777171d815dd044c29cbdbbc11e6bee95820fd40a4b608e9e0f3f9635497dae1b87ed1df0f082117b9f8d8b |