Malware Analysis Report

2024-09-11 14:49

Sample ID 240611-pz318axglm
Target ultrahook_antiprocesscmd_bypass.exe
SHA256 dc856fb70d4e39552a8138f2897ac67b4f62061c75118a8f009e1355cc93a923
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc856fb70d4e39552a8138f2897ac67b4f62061c75118a8f009e1355cc93a923

Threat Level: Known bad

The file ultrahook_antiprocesscmd_bypass.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 12:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 12:46

Reported

2024-06-11 12:49

Platform

win10-20240404-en

Max time kernel

144s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4764 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\schtasks.exe
PID 4764 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe

"C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ultrahook_antiprocesscmd_bypass.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ultrahook_antiprocesscmd_bypass.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:16117 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 39.102.125.3.in-addr.arpa udp

Files

memory/4764-0-0x0000000000250000-0x00000000005FE000-memory.dmp

memory/4764-1-0x0000000073AFE000-0x0000000073AFF000-memory.dmp

memory/4764-2-0x0000000000250000-0x00000000005FE000-memory.dmp

memory/4764-3-0x00000000057D0000-0x000000000586C000-memory.dmp

memory/4764-4-0x0000000005730000-0x0000000005796000-memory.dmp

memory/4764-5-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/2000-8-0x00000000043C0000-0x00000000043F6000-memory.dmp

memory/2000-9-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/2000-10-0x0000000006E80000-0x00000000074A8000-memory.dmp

memory/2000-11-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/2000-12-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/2000-14-0x0000000006DD0000-0x0000000006E36000-memory.dmp

memory/2000-13-0x0000000006D30000-0x0000000006D52000-memory.dmp

memory/2000-15-0x0000000007800000-0x0000000007B50000-memory.dmp

memory/2000-16-0x0000000007640000-0x000000000765C000-memory.dmp

memory/2000-17-0x0000000007FF0000-0x000000000803B000-memory.dmp

memory/2000-18-0x0000000007EB0000-0x0000000007F26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfdmigiu.gjn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2000-35-0x0000000008D50000-0x0000000008D83000-memory.dmp

memory/2000-36-0x000000006F4D0000-0x000000006F51B000-memory.dmp

memory/2000-38-0x0000000008D30000-0x0000000008D4E000-memory.dmp

memory/2000-37-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/2000-43-0x00000000090A0000-0x0000000009145000-memory.dmp

memory/2000-44-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/2000-45-0x0000000009270000-0x0000000009304000-memory.dmp

memory/2000-238-0x0000000009220000-0x000000000923A000-memory.dmp

memory/2000-243-0x0000000009210000-0x0000000009218000-memory.dmp

memory/2000-259-0x0000000073AF0000-0x00000000741DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77ebe6abc8a933a14562cfe545e55c4a
SHA1 018c73820bc56e3a7450c5da38a8b58b78060832
SHA256 d4ec58635f09fb9ca7610b7774754138d27b5e2b10ea6f515e8f27da779fe1bb
SHA512 5e9e924797b65f378e2165c9be7c255c4500fc4081b3f96e851d07c58da3f9254246f33da4d01846c928cf5aaf4cd23150038be1a10dd1741cc0b9d30902c573

memory/4344-281-0x000000006F4D0000-0x000000006F51B000-memory.dmp

memory/4824-498-0x0000000007A00000-0x0000000007D50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17d7b8ee2182cd5364c664528c4a875b
SHA1 1ebf57ad498526c5a874cca5ab2b1f796b811428
SHA256 b81dda42d0513945fe9dc8f11645b0426e2aedf3e50a63758356cce275ab5ede
SHA512 26010e3fa993333d4342de058d694a9578bc769fec37d8d422035560095df641619c2ee21413c47674457c35dfa7357a3f4cd4d2161bab303a079aed8f62a9ff

memory/4824-516-0x000000006F4D0000-0x000000006F51B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be218be1c9610ae22269d7c2245885a9
SHA1 8d551d1ec51aa4e0d6b3f95112185315ae74d2d9
SHA256 1485f363b9f9426232134e7be44f2240c0670d6d3fd3ef9b0bf49164ab69e0cd
SHA512 ab43912c3cb4c664f46d401389b16867add40f9e4792c4aff8082092df84002d65ae0c01a2c842b87643a7952afb0394e19e71aaa8d6c4eed5f7fc05f4358c48

memory/4764-746-0x0000000000250000-0x00000000005FE000-memory.dmp

memory/5068-751-0x000000006F4D0000-0x000000006F51B000-memory.dmp

memory/4764-975-0x0000000073AFE000-0x0000000073AFF000-memory.dmp

memory/4764-976-0x00000000070A0000-0x000000000759E000-memory.dmp

memory/4764-977-0x0000000006F50000-0x0000000006FE2000-memory.dmp

memory/4764-978-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

MD5 dea8a0992c2ff0d8c3b37a19621e82ae
SHA1 6d43b1d02369ea4689e6af3219c6babc456d8663
SHA256 42bf1581eaeb1e26d6c790f053f025cc4523d1d76bb3d4297dfcc13bee466970
SHA512 40f754b88a33f2459aeab19b3bb842db396949e88348ce3fbe23c4f0471c434266273699e8559d4685b578854ed2c348ee6720b0e5a5390ad76b27a768af9155

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 2e8d53246d80a360d9ef4b87197b6bd8
SHA1 2f97d0c0a112f909899efc331db93a143a987977
SHA256 dc856fb70d4e39552a8138f2897ac67b4f62061c75118a8f009e1355cc93a923
SHA512 3e7914fdff4d467f52a91996cbf047a6033c3eb5a7b605ad1f0ee18ea328f37de3bb911d1a4144aa05fb20375a39811ac93ddbe0fcfe42ddb4845bc002bcf2d5

memory/4764-982-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/4208-989-0x0000000000190000-0x000000000053E000-memory.dmp

memory/4208-990-0x0000000000190000-0x000000000053E000-memory.dmp

memory/4208-991-0x0000000000190000-0x000000000053E000-memory.dmp

memory/4208-994-0x0000000000190000-0x000000000053E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

MD5 18b4b20964ba71871f587253160ae3b1
SHA1 b0670adc90ecec31186448446ed43fc188be4559
SHA256 cb7844efb0b5fa59684743fa546012600ffe6fcc3aeb6c243796c1b1d8978987
SHA512 3fd458c517e43734477b209d38cd79f44f0b46de2c81386f83db99bd2f1fe27bff6594422c747d6b7eb32d24738d7257c94716c28a26205200958265d0cb5826

memory/2352-1001-0x0000000000190000-0x000000000053E000-memory.dmp

memory/2352-1003-0x0000000000190000-0x000000000053E000-memory.dmp

memory/2352-1006-0x0000000000190000-0x000000000053E000-memory.dmp