Analysis Overview
SHA256
c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa
Threat Level: Known bad
The file XWorm-V5.0.rar was found to be: Known bad.
Malicious Activity Summary
Xworm
Contains code to disable Windows Defender
Xworm family
Detect Xworm Payload
Agenttesla family
AgentTesla payload
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 14:10
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 14:10
Reported
2024-04-08 14:13
Platform
win7-20240221-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2156 wrote to memory of 2228 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2156 wrote to memory of 2228 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2156 wrote to memory of 2228 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2156 wrote to memory of 2228 | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 556
Network
Files
memory/2156-0-0x00000000012C0000-0x00000000012DE000-memory.dmp
memory/2156-1-0x00000000743E0000-0x0000000074ACE000-memory.dmp
memory/2156-2-0x00000000743E0000-0x0000000074ACE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 14:10
Reported
2024-04-08 14:13
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\FixNoStart\Fix64.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 832
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4448-1-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4448-0-0x0000000000EE0000-0x0000000000EFE000-memory.dmp
memory/4448-2-0x0000000074460000-0x0000000074C10000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-08 14:10
Reported
2024-04-08 14:13
Platform
win7-20240221-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WindowsDefender.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {BD6902AD-4608-4D06-A19A-852B0348D0E8} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
C:\ProgramData\WindowsDefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | testarosa.duckdns.org | udp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| US | 8.8.8.8:53 | testarosa.duckdns.org | udp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| US | 8.8.8.8:53 | testarosa.duckdns.org | udp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
Files
memory/2020-0-0x0000000000170000-0x0000000000192000-memory.dmp
memory/2020-1-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
memory/2020-2-0x000000001B280000-0x000000001B300000-memory.dmp
memory/2640-7-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/2640-8-0x0000000002250000-0x0000000002258000-memory.dmp
memory/2640-9-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp
memory/2640-10-0x0000000002A00000-0x0000000002A80000-memory.dmp
memory/2640-11-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp
memory/2640-12-0x0000000002A00000-0x0000000002A80000-memory.dmp
memory/2640-13-0x0000000002A00000-0x0000000002A80000-memory.dmp
memory/2640-14-0x0000000002A00000-0x0000000002A80000-memory.dmp
memory/2640-15-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 3ca53a35d2f22c702929cb34faed088f |
| SHA1 | dd5a78609e4a041a8a39ac55d4d989ab2100fa7e |
| SHA256 | 9d89d0650f7e298b8dd164b9507fa89de6cd56f48aa3104a455f5e095108577c |
| SHA512 | 38eb17def6f7f6de082c6c87a391439023f8c3c2cebafc9fd6a4033ba2216616fa3564c0e380c61d5a3ae7324de9cc2c518b89a5e7d80c96b1f29fdc708ea730 |
memory/2296-21-0x000000001B510000-0x000000001B7F2000-memory.dmp
memory/2296-23-0x000007FEED910000-0x000007FEEE2AD000-memory.dmp
memory/2296-22-0x0000000001EE0000-0x0000000001EE8000-memory.dmp
memory/2296-24-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/2296-25-0x000007FEED910000-0x000007FEEE2AD000-memory.dmp
memory/2296-27-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/2296-26-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/2296-28-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/2296-29-0x000007FEED910000-0x000007FEEE2AD000-memory.dmp
memory/2552-35-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp
memory/2552-36-0x0000000001DC0000-0x0000000001E40000-memory.dmp
memory/2552-37-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp
memory/2020-38-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
memory/2552-39-0x0000000001DC0000-0x0000000001E40000-memory.dmp
memory/2552-40-0x0000000001DC0000-0x0000000001E40000-memory.dmp
memory/2552-41-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp
memory/2520-47-0x000007FEED910000-0x000007FEEE2AD000-memory.dmp
memory/2520-48-0x0000000002ED0000-0x0000000002F50000-memory.dmp
memory/2520-49-0x000007FEED910000-0x000007FEEE2AD000-memory.dmp
memory/2520-50-0x0000000002ED0000-0x0000000002F50000-memory.dmp
memory/2520-51-0x0000000002ED0000-0x0000000002F50000-memory.dmp
memory/2020-52-0x000000001B280000-0x000000001B300000-memory.dmp
memory/2520-53-0x0000000002ED0000-0x0000000002F50000-memory.dmp
memory/2520-54-0x000007FEED910000-0x000007FEEE2AD000-memory.dmp
C:\ProgramData\WindowsDefender.exe
| MD5 | 9158e38c3bacd6cc50e4355783fead8b |
| SHA1 | c30c982c2d061e4bd8b5e0e3f89693b3939a0833 |
| SHA256 | 1f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda |
| SHA512 | 98683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd |
memory/640-59-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
memory/640-60-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
memory/452-62-0x00000000011A0000-0x00000000011C2000-memory.dmp
memory/452-63-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
memory/452-64-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-08 14:10
Reported
2024-04-08 14:11
Platform
win10v2004-20231215-en
Max time kernel
27s
Max time network
25s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm-V5.0\XWormLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | testarosa.duckdns.org | udp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 94.131.109.101:7110 | testarosa.duckdns.org | tcp |
Files
memory/224-0-0x0000000000020000-0x0000000000042000-memory.dmp
memory/224-1-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/224-2-0x000000001ADE0000-0x000000001ADF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f212ykip.zws.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4092-13-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/4092-12-0x0000026393B10000-0x0000026393B32000-memory.dmp
memory/4092-14-0x0000026393BA0000-0x0000026393BB0000-memory.dmp
memory/4092-15-0x0000026393BA0000-0x0000026393BB0000-memory.dmp
memory/4092-18-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1168-20-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/1168-21-0x0000021E28C50000-0x0000021E28C60000-memory.dmp
memory/1168-22-0x0000021E28C50000-0x0000021E28C60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/1168-34-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e60eb305a7b2d9907488068b7065abd3 |
| SHA1 | 1643dd7f915ac50c75bc01c53d68c5dafb9ce28d |
| SHA256 | ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135 |
| SHA512 | 95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b |
memory/3308-44-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/3308-46-0x000002A581510000-0x000002A581520000-memory.dmp
memory/3308-47-0x000002A581510000-0x000002A581520000-memory.dmp
memory/3308-49-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/4856-50-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/4856-52-0x000001E39ADD0000-0x000001E39ADE0000-memory.dmp
memory/4856-51-0x000001E39ADD0000-0x000001E39ADE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10890cda4b6eab618e926c4118ab0647 |
| SHA1 | 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d |
| SHA256 | 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14 |
| SHA512 | a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221 |
memory/4856-64-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/224-66-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp
memory/224-67-0x000000001ADE0000-0x000000001ADF0000-memory.dmp