Malware Analysis Report

2024-11-16 13:40

Sample ID 240531-xlp67sad68
Target проверка.exe
SHA256 c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2

Threat Level: Known bad

The file проверка.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm family

Xworm

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 18:56

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 18:56

Reported

2024-05-31 18:59

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 1620 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\system32\cmd.exe
PID 3760 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3760 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\проверка.exe

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC043.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:65468 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/1620-0-0x00007FFE97363000-0x00007FFE97365000-memory.dmp

memory/1620-1-0x0000000000D80000-0x0000000000DA0000-memory.dmp

memory/3564-7-0x0000012CF3A00000-0x0000012CF3A22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acfwppwu.5g5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3564-12-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/3564-13-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/3564-14-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/3564-17-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b51dc9e5ec3c97f72b4ca9488bbb4462
SHA1 5c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256 976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA512 0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fd98baf5a9c30d41317663898985593b
SHA1 ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA256 9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512 bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

memory/1620-56-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/1620-57-0x00007FFE97363000-0x00007FFE97365000-memory.dmp

memory/1620-64-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC043.tmp.bat

MD5 38278c2e5d1c7f493466f884a2c9e540
SHA1 ee809be03f111473b1f5c8e5cba92f4caf4be6a3
SHA256 eb107b3c069e084649ca76f3e7d1dcfba3679e8bb6ff8ad2c7e30985c13add8f
SHA512 e545978967fd348d1347bcf25e7e47013b3fe8fc01c2ca64e95ac98b71abd7eeb339749dad1b4e440881a6049e269db3080fd0eb3065a23ab26ff11586bf326f

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 18:56

Reported

2024-05-31 18:59

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2724 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2724 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2000 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2000 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2000 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\System32\schtasks.exe
PID 2724 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\проверка.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2368 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2368 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\проверка.exe

"C:\Users\Admin\AppData\Local\Temp\проверка.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C53DF466-E70C-4696-9BA2-86EFBA667D4D} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D71.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 speed-wheat.gl.at.ply.gg udp
US 147.185.221.19:65468 speed-wheat.gl.at.ply.gg tcp

Files

memory/2724-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

memory/2724-1-0x0000000000970000-0x0000000000990000-memory.dmp

memory/2496-6-0x0000000002CE0000-0x0000000002D60000-memory.dmp

memory/2496-7-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/2496-8-0x0000000002290000-0x0000000002298000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 332e756ce3eeb8dd1ac976bc7287c900
SHA1 ce901a49d25663e50cbf37b008b12a5fab6fa4a9
SHA256 c1c8b2175406522d9547ae1446dee733a7bc95906f3a8ba9dab73d07f815a264
SHA512 0033e34b896f46b7b9a15df912f6068802f6c3620b969f0a6bcdebb03becdbd2fd46c24bc16da65dcff4cdb7daed3d5099ce951091fccf8885011e6b76566ff8

memory/2516-14-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/2516-15-0x0000000002810000-0x0000000002818000-memory.dmp

memory/2724-30-0x000000001ADA0000-0x000000001AE20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 69c00aa1f2cecc09093eec932c788209
SHA1 2bcdc2f36469087ec60acc0b6d3e47fde03d0f6c
SHA256 c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2
SHA512 8bc1e413998b4c6ff77798561097fbec6c5c52aec560a62c73025739157cf3dc4a06d3d645cc582eb88533166a2373f92dc3332084036966491b9934cc3ab214

memory/2704-34-0x0000000001140000-0x0000000001160000-memory.dmp

memory/2724-35-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

memory/2724-36-0x000000001ADA0000-0x000000001AE20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D71.tmp.bat

MD5 e3c856b4ca2206ac7fd2522910f8bf86
SHA1 a64029beba69695d666917129f99301e760192fe
SHA256 4e494e4da49670172d9cdbd37de26e4ec8034bd93fe0da77e4ca1afc28b4a85e
SHA512 53cc10deb3b79c22f618c6fdadacdbc6dc32acf0034b10156e4b95c00d1682907e42a6a92f3a3566f795792677dc6f90f583d9f139656150c59f112bf6fb4f74