Malware Analysis Report

2024-11-16 13:32

Sample ID 240620-zdrq6swfma
Target Feather Nowy.exe
SHA256 9a697d8f7158b3e91f0a01f9196590114c443bb5acdbc17cc3822046283b2a5d
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a697d8f7158b3e91f0a01f9196590114c443bb5acdbc17cc3822046283b2a5d

Threat Level: Known bad

The file Feather Nowy.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm family

Xworm

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:36

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:36

Reported

2024-06-20 22:03

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1794s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Feather Patch Nowy.lnk C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Feather Patch Nowy.lnk C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Feather Patch Nowy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Feather Patch Nowy.exe" C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Feather Nowy.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Feather Nowy.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Feather Patch Nowy.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Feather Patch Nowy" /tr "C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:33694 tcp
US 8.8.8.8:53 lake-french.gl.at.ply.gg udp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 8.8.8.8:53 lake-french.gl.at.ply.gg udp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
N/A 127.0.0.1:33694 tcp
US 8.8.8.8:53 lake-french.gl.at.ply.gg udp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 8.8.8.8:53 lake-french.gl.at.ply.gg udp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 8.8.8.8:53 lake-french.gl.at.ply.gg udp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
N/A 127.0.0.1:33694 tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 8.8.8.8:53 lake-french.gl.at.ply.gg udp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp
N/A 127.0.0.1:33694 tcp
US 147.185.221.20:33694 lake-french.gl.at.ply.gg tcp

Files

memory/2584-0-0x00007FFD204C3000-0x00007FFD204C4000-memory.dmp

memory/2584-1-0x0000000000100000-0x000000000012E000-memory.dmp

memory/2584-2-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

memory/5004-7-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

memory/5004-8-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

memory/5004-9-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

memory/5004-10-0x00000220200F0000-0x0000022020112000-memory.dmp

memory/5004-13-0x0000022020410000-0x0000022020486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cm4iazdb.qjq.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5004-51-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bdbad6a86e04bae65118b6531109bd00
SHA1 d50d8630f46e4f2b637b0f8838aae910ca167c38
SHA256 5aa7a12a20f540c82178a46608085ccb9848b6d5ec5823b03ee11ff4aa6d3e0a
SHA512 71bd1dbb7e9cabeccd1a2be6e85c7a618741605d9e648db6d2d8a34565fb4b0b4e3ef460f2f7dc7cd8101fe27433858d32ad006dc6d79a969a7ad875181571f0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 420d555c1f8df0f2f14ec9e3943af798
SHA1 9523a5d061a168db09fe06d4684d134db22e6294
SHA256 1a7faa0a8940bf40096f4d67545f0dbdece799fa44ab13c4da81e32b250093c2
SHA512 97081bffb96fdcf31fe50445f2bf008024422f7726f84a16b09f49390dccfa3b22f0a566c0b45776658a285ead54d1cec54de8b8092eac115607328afcc07c8a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e79945ce140664d3b2387c54dc1be1c
SHA1 b6644078746ee136660a13dd07278f7380fdb201
SHA256 21de5acffd74d2de9db81d3bb3fc1dd9e0c85f6f56c18c76769e362a898b5003
SHA512 a80bb6ff7673b7a062ded5b7e39e491199fcdba8f17220f602e4a56a8f9d928a62bc176f20c1cc2300b507adc11be142d5255f5f77f1a43824e1a62ff404d081

memory/2584-186-0x00007FFD204C3000-0x00007FFD204C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Feather Patch Nowy.exe

MD5 dbf36667c73c5e1bd6dcf2005c84aa29
SHA1 1db961a84cc78184868aecc362067162bef19397
SHA256 9a697d8f7158b3e91f0a01f9196590114c443bb5acdbc17cc3822046283b2a5d
SHA512 0798159097fc143b03573b8129af4b34a7304ae515723819dd818a63c2dcdf434c98c4d5cddd8c9e648c0d36e133ad3f95edbf175b32cce1d7fd31a191b7eeab

memory/2584-189-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Feather Patch Nowy.exe.log

MD5 16c5fce5f7230eea11598ec11ed42862
SHA1 75392d4824706090f5e8907eee1059349c927600
SHA256 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc