Malware Analysis Report

2024-11-16 13:32

Sample ID 240620-3a44wasbrf
Target Hamisa Group pty Ltd.exe
SHA256 c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db

Threat Level: Known bad

The file Hamisa Group pty Ltd.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 23:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 23:19

Reported

2024-06-20 23:22

Platform

win7-20240611-en

Max time kernel

117s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hamisa Group pty Ltd.lnk C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hamisa Group pty Ltd.lnk C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hamisa Group pty Ltd = "C:\\Users\\Admin\\AppData\\Roaming\\Hamisa Group pty Ltd.exe" C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2784 set thread context of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2784 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2716 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2716 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe

"C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe"

C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe

"C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Hamisa Group pty Ltd.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Hamisa Group pty Ltd.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 omirbekov.duckdns.org udp
CA 38.15.147.233:4048 omirbekov.duckdns.org tcp

Files

memory/2784-0-0x000000007477E000-0x000000007477F000-memory.dmp

memory/2784-1-0x0000000000F70000-0x0000000000FE2000-memory.dmp

memory/2784-2-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/2784-3-0x0000000004DE0000-0x0000000004E4A000-memory.dmp

memory/2784-4-0x0000000000720000-0x0000000000732000-memory.dmp

memory/2784-5-0x0000000000730000-0x0000000000738000-memory.dmp

memory/2784-6-0x0000000000A70000-0x0000000000A7C000-memory.dmp

memory/2784-7-0x0000000004FE0000-0x0000000005036000-memory.dmp

memory/2716-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2716-14-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2716-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2716-18-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2716-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2716-11-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2716-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2716-9-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2784-19-0x0000000074770000-0x0000000074E5E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6505df5053c28d946cd31f5da0b5bdb6
SHA1 e0b9b14bf6583121abf3c8b20c91176d468291b5
SHA256 14c19968312fe99c709204998d75af20d5fae225db85348ffc1626066132d23b
SHA512 b1db3d405fd7865c3bbc414b57f053ae67d51fbccc27e5b3dad3aa4b40938275cf8e86014d32130ec9122cc7c4eb273a6e4fa831457dde9b8223baf05d41375c

\Users\Admin\AppData\Roaming\Hamisa Group pty Ltd.exe

MD5 d9c9bb67226f0cf7ec29fb0dc84b4d90
SHA1 b9bfe67a4df466960f8bcf7602f9765bab2068b4
SHA256 c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db
SHA512 6348a457dab60f2dc4cbc1cca36cf89e9f9b9e08da20879b7910329c49cb214532522385b2634e973eb27845896dee3782a79aa475818724ddec5ac4c0635df5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 23:19

Reported

2024-06-20 23:22

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hamisa Group pty Ltd.lnk C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hamisa Group pty Ltd.lnk C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hamisa Group pty Ltd = "C:\\Users\\Admin\\AppData\\Roaming\\Hamisa Group pty Ltd.exe" C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2612 set thread context of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2612 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2612 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2612 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2612 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2612 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2612 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 2612 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe
PID 1104 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe

"C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe"

C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe

"C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hamisa Group pty Ltd.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Hamisa Group pty Ltd.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Hamisa Group pty Ltd.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 omirbekov.duckdns.org udp
CA 38.15.147.233:4048 omirbekov.duckdns.org tcp
US 8.8.8.8:53 233.147.15.38.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/2612-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

memory/2612-1-0x0000000000320000-0x0000000000392000-memory.dmp

memory/2612-2-0x0000000005240000-0x00000000057E4000-memory.dmp

memory/2612-3-0x0000000004D70000-0x0000000004E02000-memory.dmp

memory/2612-4-0x00000000057F0000-0x0000000005B44000-memory.dmp

memory/2612-5-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2612-6-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

memory/2612-7-0x0000000005160000-0x00000000051FC000-memory.dmp

memory/2612-8-0x0000000006080000-0x00000000065AC000-memory.dmp

memory/2612-9-0x0000000005FF0000-0x000000000605A000-memory.dmp

memory/2612-10-0x0000000005230000-0x0000000005242000-memory.dmp

memory/2612-11-0x0000000005C70000-0x0000000005C78000-memory.dmp

memory/2612-12-0x0000000005C80000-0x0000000005C8C000-memory.dmp

memory/2612-13-0x0000000006DB0000-0x0000000006E06000-memory.dmp

memory/1104-14-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hamisa Group pty Ltd.exe.log

MD5 066de00160405ae58bf670a82b983548
SHA1 256973db594068e7f37c3011c4f1c00c515eb5fc
SHA256 e913b51520dab2615dabef13f0abc8f24a9ebd0c84c455dac6cc7811d36f81ea
SHA512 3bc8cf1f1ec78cc5ac1542964d3d64a9de0d45dcd4b95aa0ce242355faa311c5b64db36968b56dc56984227c752b7c8e41a36fffd7e86ebf30feb241542f0c97

memory/2612-17-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1104-18-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/612-19-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/612-21-0x0000000005AF0000-0x0000000006118000-memory.dmp

memory/612-22-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/612-20-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/612-23-0x00000000059E0000-0x0000000005A02000-memory.dmp

memory/612-25-0x0000000006220000-0x0000000006286000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mnodyugc.mc2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/612-24-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/612-31-0x0000000006290000-0x00000000065E4000-memory.dmp

memory/612-36-0x00000000068E0000-0x00000000068FE000-memory.dmp

memory/612-37-0x0000000006EA0000-0x0000000006EEC000-memory.dmp

memory/612-38-0x0000000006E60000-0x0000000006E92000-memory.dmp

memory/612-39-0x0000000072860000-0x00000000728AC000-memory.dmp

memory/612-40-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/612-51-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/612-52-0x0000000007AD0000-0x0000000007B73000-memory.dmp

memory/612-50-0x0000000006E20000-0x0000000006E3E000-memory.dmp

memory/612-53-0x0000000008250000-0x00000000088CA000-memory.dmp

memory/612-54-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/612-55-0x0000000007C80000-0x0000000007C8A000-memory.dmp

memory/612-56-0x0000000007E90000-0x0000000007F26000-memory.dmp

memory/612-66-0x0000000007E10000-0x0000000007E21000-memory.dmp

memory/612-67-0x0000000007E40000-0x0000000007E4E000-memory.dmp

memory/612-68-0x0000000007E50000-0x0000000007E64000-memory.dmp

memory/612-69-0x0000000007F50000-0x0000000007F6A000-memory.dmp

memory/3556-70-0x0000000072860000-0x00000000728AC000-memory.dmp

memory/612-80-0x0000000007F30000-0x0000000007F38000-memory.dmp

memory/612-83-0x0000000074BE0000-0x0000000075390000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 af4d828d1a33d41dcadaf13ac0cd0152
SHA1 e7cc23fbf6592c2ce991fbb945b6d04ea2e4bffd
SHA256 fbc3335d0544d0ba98452950b305a2e6d3869c7b85a3a8670e2e076e6e4d08bd
SHA512 db290539c4d2a59dafb9ad7815c5e21e4462baef5690a776a1c525f4e9cc7a0a9cf354948bb621c127afa35e5211349df92a49f1e1f70cb26496af01951d46d8

memory/2280-97-0x0000000072860000-0x00000000728AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 47ba8d0a74dbb297d46811aa4eb38827
SHA1 183b53b24ba2be351105b3da690c804b4378548d
SHA256 c56dd49c490aa0e8550a195706165fde6e9d010523262afb96eae56c60f7ac1a
SHA512 cf23a8eebf62a2221f77254173344420a1e3bfbc1e68d4d86379bd74dc3d2b63f7fcf61f649748c9a3192b3090f0d42cee674024fe9697719d9d9174f2ebceff

memory/5112-118-0x0000000072860000-0x00000000728AC000-memory.dmp

memory/1104-135-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1104-136-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1104-137-0x0000000074BE0000-0x0000000075390000-memory.dmp