Malware Analysis Report

2024-10-10 10:10

Sample ID 240516-hq44lahd45
Target Loader.exe
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
Tags
umbral xworm execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm execution persistence rat spyware stealer trojan

Detect Umbral payload

Xworm

Detect Xworm Payload

Umbral

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Detects videocard installed

Runs ping.exe

Modifies registry class

Views/modifies file attributes

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 06:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 06:57

Reported

2024-05-16 07:03

Platform

win11-20240426-en

Max time kernel

343s

Max time network

360s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3408 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3408 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 3408 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 1120 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1120 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1120 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\SYSTEM32\attrib.exe
PID 1120 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\SYSTEM32\attrib.exe
PID 1120 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1120 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1120 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1120 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2720 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1120 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1120 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1120 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2720 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 2720 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\schtasks.exe
PID 1120 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\SYSTEM32\cmd.exe
PID 1120 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\SYSTEM32\cmd.exe
PID 1528 wrote to memory of 1972 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 1528 wrote to memory of 1972 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
FR 142.250.178.131:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.134.233:443 discordapp.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp

Files

memory/3408-0-0x00007FFDDAB73000-0x00007FFDDAB75000-memory.dmp

memory/3408-1-0x0000000000560000-0x000000000058A000-memory.dmp

memory/3408-2-0x00007FFDDAB70000-0x00007FFDDB632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/2720-26-0x0000000000F70000-0x0000000000F86000-memory.dmp

memory/2720-28-0x00007FFDDAB70000-0x00007FFDDB632000-memory.dmp

memory/1120-27-0x0000023230B60000-0x0000023230BA0000-memory.dmp

memory/3408-29-0x00007FFDDAB70000-0x00007FFDDB632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qyhrv2p3.fue.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1380-31-0x000001E3DD950000-0x000001E3DD972000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

memory/1120-54-0x000002324B3B0000-0x000002324B426000-memory.dmp

memory/1120-55-0x000002324B330000-0x000002324B380000-memory.dmp

memory/1120-56-0x00000232329C0000-0x00000232329DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b92d741d003e8d1f0394874017a6fe9
SHA1 1a4bebc2637bce160dae38d4d0bfdeb6b398059d
SHA256 8c8532230d71f0818daebff0d2ab496b02c25bdaa7156701f663b5474ad876fc
SHA512 5c2e84b072314aaae414f98f7dbeb13e030561b53270803d0cf7a8c6ed59368dcfdc4666e69abef39fcac5b75968a1174aca501023297a276a219ed0464612c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7332074ae2b01262736b6fbd9e100dac
SHA1 22f992165065107cc9417fa4117240d84414a13c
SHA256 baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA512 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

memory/1120-90-0x0000023231270000-0x000002323127A000-memory.dmp

memory/1120-91-0x000002324B380000-0x000002324B392000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d79442dfd4d7b3d489221dab648a8b0
SHA1 715225e9ad02901ef13250d9126e612b05751f49
SHA256 4f4c4f31db3e81c3afe2662eceb44fe4743019a5da26109d0c3af1c85bc1bf98
SHA512 3ae1e2467b81ead66b6fa0a9d274c503c1dee442465b81f161bb72a5b93eb9603d8504b795d02f8e6a74ed4b5ae5bd57e8faf1a9af8a018d5d43ca9094aaa630

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6e4f5276ac4827dac632cc228cc825fd
SHA1 0d151017975a1e91325649b5ef4a4cce043b81aa
SHA256 9b59dd2123e61507bc98c878acb6a41e307e60adbb0e9a2a301f194cf51cf27a
SHA512 ab487a017bb10c80ec466e3207cbecb4b9453d88a1af7f1b8a9f6698b55b0a1bf721d8a63757ada195bf87807a4180a88222eb0ee96929404aacca09ed4a67a1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0ea6ac9b9bc1d4ae31ff7d82c5e2c8bb
SHA1 0659254cfdf0eca3f09665dea655438d3242c413
SHA256 a2c4271e070a9ce8ca10b129a7916c7271a5e4463d3810617a825d6f3ba7a1c8
SHA512 e78ec495cc7390522394950f29fc7c56359b89df71f451aca9f0379a942e801a0191f333f5bcf8df99ea0305b23448188db7754a54f55bef3cd3b8a275b6ee91

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 781da0576417bf414dc558e5a315e2be
SHA1 215451c1e370be595f1c389f587efeaa93108b4c
SHA256 41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA512 24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 2cb9e3f89741961748d38d15dfecc8fb
SHA1 11f89dfac73dfacb194fa01bf6e7fddb38c1f6d7
SHA256 e76dcf1390543fde2ae6fd8263e90df10923df9dfe78a5fb588a50654577fd13
SHA512 20557311d13320d2f7c8bfb99e49c8af30dbcbace0faaa5101f9ea893a017a55100bf2b3c466c9d9cfe4fa8a8affcef9223a870abbcf571492fa90abd0e748f2

memory/2720-161-0x00007FFDDAB70000-0x00007FFDDB632000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9