Analysis Overview
SHA256
2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad
Threat Level: Known bad
The file читы.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 20:40
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 20:40
Reported
2024-05-26 20:43
Platform
win7-20231129-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Delta.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Delta.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\читы.exe
"C:\Users\Admin\AppData\Local\Temp\читы.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {560E88DB-B5F8-44B1-A640-9179F73328EC} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Delta.exe
C:\Users\Admin\AppData\Roaming\Delta.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7C80.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | advertise-located.gl.at.ply.gg | udp |
| US | 147.185.221.19:54921 | advertise-located.gl.at.ply.gg | tcp |
Files
memory/948-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp
memory/948-1-0x00000000013D0000-0x00000000013F0000-memory.dmp
memory/1632-6-0x0000000002EC0000-0x0000000002F40000-memory.dmp
memory/1632-8-0x0000000000380000-0x0000000000388000-memory.dmp
memory/1632-7-0x000000001B610000-0x000000001B8F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 15841efbe8c8fa85ba10863e6a5c4841 |
| SHA1 | fc25330fceb4d76a0282b32e72366223ddd32564 |
| SHA256 | 9226b2723ccaf8ed4f9589aa121eac8a6edc405636c3a93796219b261c6cebd2 |
| SHA512 | 267b6a14b15464fe578ef93b983bc4ed9104db25dccc66ffa2478919a3094b86a5d3a35bf997be162b4e55dddffb5f0e6707ed9a7faf290eeb0c31183edd079c |
memory/2256-14-0x000000001B4A0000-0x000000001B782000-memory.dmp
memory/2256-15-0x0000000002B00000-0x0000000002B08000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/948-31-0x000000001B070000-0x000000001B0F0000-memory.dmp
memory/948-32-0x000007FEF6033000-0x000007FEF6034000-memory.dmp
C:\Users\Admin\AppData\Roaming\Delta.exe
| MD5 | 7c4229f56dd1abf353b7615e099cb3a8 |
| SHA1 | f1a2545b0d9b1f686d456c60fcd87c3c4ee93d08 |
| SHA256 | 2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad |
| SHA512 | e961a5a7b44fdfc0cbdedbb48320afa5097c8ff5f7d1880069e4120ee0bfe2d0642d3b7b7977c815c6f96b9c0f66028f26a2a0bfcdef5cca363269dff780af41 |
memory/2968-36-0x00000000011B0000-0x00000000011D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7C80.tmp.bat
| MD5 | 4f949207780c3dbd234d3913c09d7b76 |
| SHA1 | 005f81a0250e0b6bcb52c23511dfe0a14abf895f |
| SHA256 | ead105808dbd49a81bfa4b5a413f29113258efa840ab5142f08ff8063115f540 |
| SHA512 | 5f778f83789732c91948e165a62d7b81009656a9146e1253d9efa3a96ec7f6a2e1326cc2eece00bbf2837235976ccd505228a43bbe1555be6a7aed85776138a9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 20:40
Reported
2024-05-26 20:43
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Delta.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk | C:\Users\Admin\AppData\Roaming\Delta.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk | C:\Users\Admin\AppData\Roaming\Delta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Delta.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" | C:\Users\Admin\AppData\Roaming\Delta.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\читы.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Delta.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\читы.exe
"C:\Users\Admin\AppData\Local\Temp\читы.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"
C:\Users\Admin\AppData\Roaming\Delta.exe
C:\Users\Admin\AppData\Roaming\Delta.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5A4.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.ip.gl.ply.gg | udp |
| US | 147.185.221.19:54921 | 19.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | advertise-located.gl.at.ply.gg | udp |
| US | 147.185.221.19:54921 | advertise-located.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
memory/3376-0-0x00007FF8E95B3000-0x00007FF8E95B5000-memory.dmp
memory/3376-1-0x0000000000480000-0x00000000004A0000-memory.dmp
memory/1336-2-0x000001E9A6090000-0x000001E9A60B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5cks3y5l.haj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1336-12-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp
memory/1336-13-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp
memory/1336-14-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp
memory/1336-17-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22310ad6749d8cc38284aa616efcd100 |
| SHA1 | 440ef4a0a53bfa7c83fe84326a1dff4326dcb515 |
| SHA256 | 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf |
| SHA512 | 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cc19bcff372d20459d3651ba8aef50e7 |
| SHA1 | 3c6f1d4cdd647864fb97a16b1aefba67fcee11f7 |
| SHA256 | 366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9 |
| SHA512 | a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080 |
memory/3376-56-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp
memory/3376-57-0x00007FF8E95B3000-0x00007FF8E95B5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Delta.exe
| MD5 | 7c4229f56dd1abf353b7615e099cb3a8 |
| SHA1 | f1a2545b0d9b1f686d456c60fcd87c3c4ee93d08 |
| SHA256 | 2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad |
| SHA512 | e961a5a7b44fdfc0cbdedbb48320afa5097c8ff5f7d1880069e4120ee0bfe2d0642d3b7b7977c815c6f96b9c0f66028f26a2a0bfcdef5cca363269dff780af41 |
memory/3376-65-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB5A4.tmp.bat
| MD5 | 40e5c23b3570235bb97011da9eeedab6 |
| SHA1 | 7fd4fac33f4d8cba87efae940b1068ba918231f5 |
| SHA256 | c12952e33ce4180b72f18beae9e5f8bea990a5f85208cfe55e28f736c3b8ecb2 |
| SHA512 | 5698caf03fc885e080afa600ba88333eb77bcaa811e2d98d737188c4762388f6b8963bd12ec25f6063f8dac4bb266e257be4836efa8a2c70f56e6d49b26bdddd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d0bf7c59021e44510b5245f12924529 |
| SHA1 | 537728b04ed0b045f6e84a2bf8c2930e3bc266b3 |
| SHA256 | 7cd70e48dda05f9d156c313e741d37b9e1a943fd64ab18af10dac11a4a2faeae |
| SHA512 | 5fbb980d13b4560a4a8cbdf0414c112199aff3f1af9cabf6a4e9b04ddf0815ad8571aea73eed89181e504a2d2ec3d873d3806cf5a4cafb4a43e6b7165453d83e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c740b7699e2363ac4ecdf496520ca35 |
| SHA1 | aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9 |
| SHA256 | be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61 |
| SHA512 | 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9072d3c4faa83ef0f5ed5b299b75618d |
| SHA1 | f2bb8ee12abae6da1406fc566810ce397f1d054b |
| SHA256 | 9f9196488c5ae1227d43941675252f2399ef20aebba80ed6a829822104c40475 |
| SHA512 | a7bb981438e7d0932291531f49c00ca2b57a5c44cedede2b81f5a6abeefb4f00434e0c2edb2d3ad33c21e61e88091042f9d783f9fd39b18cfd1306b450f1f6bb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.bat
| MD5 | fe3385a3691ed23280c2220db0e57c1f |
| SHA1 | 922b0673342212fe8273f2d59c218ec8c5ccfea9 |
| SHA256 | 88d3c846c5cd844cfea84b4f05f47cf4c1311837d270fb9791f9fb1fc83f7290 |
| SHA512 | 2be4fd12c01a7a756b079fc89c1b0eeaa9908837eafe47b5f81030105b6518dd4a3572f9cddcd43c233320b84447f37a099fd1dde0b678621faa72f8642678b7 |