Analysis Overview
SHA256
3684ae4716bf63da137d84df3b52dc186bd234087432fb19a4c62410a894a667
Threat Level: Known bad
The file a77f9f8096b832ba68658b03c5410b22 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Drops startup file
UPX packed file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-26 22:22
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-26 22:22
Reported
2024-02-26 22:24
Platform
win7-20240221-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious use of SetThreadContext
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData:ApplicationData | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe
"C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2656 259406917
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2504 259410146
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2716 259411098
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1524 259413391
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2932 259415263
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3032 259417837
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2844 259419304
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 944 259420692
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3008 259422346
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2128 259423968
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 3004 259425357
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2696 259426839
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2516 259428508
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2936 259430473
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1664 259432236
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 576 259433968
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 1096 259435902
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2992 259437743
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2196 259439412
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 2020 259441144
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 892 259442860
Network
| Country | Destination | Domain | Proto |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp |
Files
memory/2524-1-0x0000000000400000-0x0000000000C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 927f2eb4beb38d925b3f29888f4faa9e |
| SHA1 | 0de7008a074337d9437a145319681f608ac1baee |
| SHA256 | 042f3b72dd1f50e1d42935e31c8d8fd1dadd1c623f85440a47aafc29673e09e8 |
| SHA512 | d71132e1e7d238a57b3557596ab955639f82647388cd32ee40ab98a593242a6eef50b3b699d8374ddfc69774f5c4a3c47fce1c26e1065f0aa90a9818da859411 |
memory/2864-6-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2864-7-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/2864-8-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2584-9-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/2656-12-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2584-17-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/2656-18-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2704-20-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2704-22-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/2524-21-0x0000000000400000-0x0000000000C00000-memory.dmp
memory/2704-24-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2656-25-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2656-39-0x0000000000400000-0x0000000000553000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 636b8f2c82559d9a4702c3f50af41db2 |
| SHA1 | cb4d8436a38d5049a91df14aa5646ae158be4ccb |
| SHA256 | d278992af9409018161845115c196b7d7faf1843a8138bae5d1e7b2136d8ed65 |
| SHA512 | 29abf16150295310a97fcdd0614e2629b9e850479aa113e708b438bc6e3d3f0237cd24c94badd47a8599adea2575251ddd2963175819572eca90d4d95b5e8299 |
\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | e045acd7da053280720f4404d1b19590 |
| SHA1 | cc7793f62f016e03bee235b2a2ad003525d3d89c |
| SHA256 | 07bdd44042e474dda49baeda2c97f053366c87e126ebd0c9f904b8096fbd3823 |
| SHA512 | 7dfe155250ec0824ff16cb538d7cf6360bdee683958ba864682889003d9c00e5f7c3cf13bae831cc7695b274e9e25b69b64aaeee68974b6d58402d3f666838cf |
memory/2616-52-0x0000000000400000-0x00000000004FC000-memory.dmp
C:\ProgramData\images.exe
| MD5 | d983fd0b78b5f0f5db285ee2b1b5c0a2 |
| SHA1 | 80921be149a2b4997e90462465af5819283ecf72 |
| SHA256 | a0932c824bd008775cba6a164c14519641197a9d7c5f7a1630226805985f1591 |
| SHA512 | e4ad1787f10f2d1a336dad3b16bf6ac84ae6a92d09719a96ea0f030567d7399e7fe9300939ae68422190d15cd058378c1a33fc20b4f6ba9d74da399ebe18b1d2 |
C:\ProgramData\images.exe
| MD5 | 91b28ca3de12a917cd682a16ff4c8fb1 |
| SHA1 | b8e1085711806046034dbedef31f1c8f81fcc80d |
| SHA256 | 3b452794db6bafcad6b1678343caa31305249be92e3c0e3e0acc583b00a78bb4 |
| SHA512 | 613571338b07da13b35db21be39017980dc33a61d7b4e4b315239e5d62d65f62cc97a94665bb609a024743882332517e77f74d0c79e9214d8eefa57514e9ba31 |
memory/2616-44-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2616-42-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2504-56-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2456-57-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2456-59-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/2456-61-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2904-64-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2904-66-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2504-71-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2752-77-0x0000000000400000-0x00000000004FC000-memory.dmp
C:\ProgramData
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2904-74-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/2752-78-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2716-79-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2792-80-0x0000000002770000-0x00000000027B0000-memory.dmp
memory/2752-82-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2792-81-0x00000000743A0000-0x000000007494B000-memory.dmp
memory/2792-83-0x00000000743A0000-0x000000007494B000-memory.dmp
memory/2792-84-0x0000000002770000-0x00000000027B0000-memory.dmp
memory/2504-85-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1384-89-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1384-92-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/1384-91-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1084-100-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1084-101-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/1524-102-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1084-103-0x00000000003E0000-0x00000000003E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | ef9528202cfc667b9d921d32fb20bd73 |
| SHA1 | 1b59cbbc31c226b82bed7602dbaa95058d58dbaa |
| SHA256 | a1574c2c5b9ff3e8da9d16148b9a11518544ac331d5ca827fbe2e247b6482267 |
| SHA512 | 2bb1ddbb49b64aa7a85cbd6e6626e4cc95295fefb663203cce7b9bb53e3cc6fc5c171b51d9bd1377d9be07b2cdb2f6d92f9b9567fb9c26a3ea0c076e214e2842 |
memory/2268-109-0x00000000743A0000-0x000000007494B000-memory.dmp
memory/2268-110-0x00000000023E0000-0x0000000002420000-memory.dmp
memory/2268-111-0x00000000743A0000-0x000000007494B000-memory.dmp
memory/2268-112-0x00000000023E0000-0x0000000002420000-memory.dmp
memory/1524-113-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2792-118-0x0000000002770000-0x00000000027B0000-memory.dmp
memory/2716-117-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2792-120-0x00000000743A0000-0x000000007494B000-memory.dmp
memory/1460-122-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1460-123-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/1460-125-0x0000000000690000-0x0000000000691000-memory.dmp
memory/1200-132-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2932-133-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1200-134-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2792-136-0x0000000002770000-0x00000000027B0000-memory.dmp
memory/1200-135-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/2792-131-0x0000000002770000-0x00000000027B0000-memory.dmp
memory/2268-137-0x00000000743A0000-0x000000007494B000-memory.dmp
memory/2792-138-0x00000000743A0000-0x000000007494B000-memory.dmp
memory/2932-139-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2232-143-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2232-145-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/2232-146-0x0000000000600000-0x0000000000601000-memory.dmp
memory/2120-154-0x0000000000220000-0x0000000000221000-memory.dmp
memory/3032-155-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2120-156-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2120-157-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/3032-158-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1920-163-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/1920-166-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2844-173-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2848-174-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/1920-164-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2844-176-0x0000000000400000-0x0000000000553000-memory.dmp
C:\ProgramData\images.exe
| MD5 | 1bb85dabf28324af9128aaa56b6ed285 |
| SHA1 | d6fe601514624be5c671415e3fb9378a0de37a63 |
| SHA256 | 01fa5de76942c797e7b581036f985cbda1f7b70faeafaaaf7c8f84a472ffb79d |
| SHA512 | fc2c924b45c260084d2fc4bdf64628d1906258fd68ae59001401c739029f6e4fd570af946f911a177f2a20ef3f5e284248a0a1cb4dd11d9e503ea81bcb8d1ebb |
C:\ProgramData\images.exe
| MD5 | 52627a572b33f868fefeefb94b9190d4 |
| SHA1 | 9f41f71b092696defe4cf068389828b2632b9f7b |
| SHA256 | 67185fd41b66c02887794303c6d84ddf562ef870bca2da1d3731b8a93c4a2a71 |
| SHA512 | e18329b1f6af57da86fa19a607b8760ea97881e52740e68471d5b6a2ff0c5c5f36ebb670f7c80f9367d38016abeeed1aff66d3886937b6d4c6941d51c7b7269b |
C:\ProgramData\images.exe
| MD5 | eb98b0b09972cac8ba1d085be1ed860a |
| SHA1 | 387139baa019568b698e1b5020a48f1b66bdf87f |
| SHA256 | 02c96d2669ab605259cfba92b8be216b77fca988da0ccadb18824552bbe68005 |
| SHA512 | 40a589645d1b510a06b2605025e46db47e6688c1190b9bfd06acab61615bbe5660eb38a3de289be554e8bf97c2dee9e58768c84331cd768dccd1557a41c4efbf |
C:\ProgramData\images.exe
| MD5 | e08b44966543acbdb5444bbef1f6920e |
| SHA1 | 79d213780443d577968e8d583198ba27c8401d38 |
| SHA256 | 774f828165e7254f8e762044f940cb56e923e73b3b20a158997867bcb30b5cb7 |
| SHA512 | d641c7004c766187845e90e915ab22938ce178f1683df2778a1c80f24d36da80780eef54c294c51b0c8879e1970cfae168498c48535e8ff54a5bca6fd3e3e86b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-26 22:22
Reported
2024-02-26 22:24
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs | C:\Windows\SysWOW64\notepad.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious use of SetThreadContext
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData:ApplicationData | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe
"C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4060 240601328
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe" 2 4580 240603906
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 468 240604406
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2180 240607031
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4360 240609984
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1272 240611593
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2836 240613031
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2624 240614453
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 220 240615796
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 840 240617203
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4072 240618531
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1048 240619875
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4132 240621281
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5072 240622671
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4116 240624078
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5088 240625375
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1988 240626609
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2508 240627906
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2660 240629062
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 740 240630312
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4948 240631562
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2144 240632687
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5020 240633921
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3540 240635140
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3644 240636312
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1140 240637468
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1116 240638671
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1592 240639875
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1812 240641015
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2844 240642265
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2432 240643531
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4280 240644812
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5052 240646000
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3360 240647156
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5060 240648359
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1324 240649625
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3624 240650828
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4956 240652140
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3956 240653281
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1940 240654562
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4968 240655734
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1124 240657000
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1180 240658187
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4264 240659406
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1564 240660656
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3640 240661781
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1312 240662921
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4104 240664062
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2384 240665359
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1308 240666546
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 804 240667687
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2956 240668828
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4344 240670046
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1640 240671359
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1784 240672640
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1408 240673796
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3684 240674953
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4300 240676125
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2576 240677250
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4640 240678406
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 664 240679515
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2400 240680718
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3492 240681890
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3584 240683046
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4484 240684234
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 448 240685484
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3304 240686656
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1668 240687843
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1220 240689093
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4000 240690296
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3884 240691562
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3232 240692812
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4912 240694000
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1560 240695171
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4940 240696406
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4372 240697562
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4532 240698859
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 216 240699984
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2952 240701140
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4832 240702390
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2052 240703531
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4656 240704828
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4792 240706015
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1840 240707250
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2248 240708453
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 64 240709625
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2232 240710750
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5056 240711921
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4144 240713078
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4364 240714234
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2476 240715375
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2360 240716562
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3876 240717671
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1072 240718828
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3952 240720093
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1976 240721328
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5028 240722484
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1896 240723734
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1740 240724906
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4644 240726140
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3144 240727328
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3964 240728453
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2572 240729640
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4304 240730796
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4828 240732093
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 436 240733406
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2508 240734562
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1756 240735828
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2192 240737062
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 912 240738218
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4368 240739406
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3364 240740546
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2680 240741703
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1440 240742921
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4836 240744156
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3500 240745421
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2864 240746578
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 380 240747828
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3588 240749078
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1980 240750203
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| MY | 111.90.146.200:5200 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| MY | 111.90.146.200:5200 | tcp | |
| MY | 111.90.146.200:5200 | tcp |
Files
memory/3672-0-0x0000000000400000-0x0000000000C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 927f2eb4beb38d925b3f29888f4faa9e |
| SHA1 | 0de7008a074337d9437a145319681f608ac1baee |
| SHA256 | 042f3b72dd1f50e1d42935e31c8d8fd1dadd1c623f85440a47aafc29673e09e8 |
| SHA512 | d71132e1e7d238a57b3557596ab955639f82647388cd32ee40ab98a593242a6eef50b3b699d8374ddfc69774f5c4a3c47fce1c26e1065f0aa90a9818da859411 |
memory/1480-5-0x00000000007F0000-0x00000000007F1000-memory.dmp
memory/1480-6-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/1480-7-0x0000000002410000-0x0000000002411000-memory.dmp
memory/4060-8-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4264-10-0x0000000000930000-0x0000000000931000-memory.dmp
memory/4060-14-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4060-16-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3672-18-0x0000000000400000-0x0000000000C00000-memory.dmp
memory/4752-20-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/4752-19-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/4752-17-0x0000000002160000-0x0000000002161000-memory.dmp
memory/4060-28-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4668-33-0x0000000000400000-0x00000000004FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs
| MD5 | 90b614224692a9bd6e0adbfb37dd9cf1 |
| SHA1 | 0cbb2d0467c777c3e841a917851cca254976ddd6 |
| SHA256 | c614d292879badb2f7f31497063b78356511b31368c148b7e9afc9556d48bacc |
| SHA512 | bd8cd25fe6c4adc4ee0dd6f0ccb152349447125b9817bc84a85b9fbeff240aacae4776084ee09e3de520193e0cd19ce54e7669949334b9cc72a2763dbbfd5a05 |
memory/4580-35-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4668-34-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/4856-43-0x0000000004700000-0x0000000004736000-memory.dmp
memory/4856-41-0x00000000046F0000-0x0000000004700000-memory.dmp
memory/4856-46-0x0000000004D70000-0x0000000005398000-memory.dmp
memory/4856-45-0x0000000074FA0000-0x0000000075750000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs
| MD5 | 6b4f59023f5d6bc476dadd3e6f0c755c |
| SHA1 | 0103543d47ffa83eb1c0dfbab02dfb1c2325aa70 |
| SHA256 | 5a602b409c616b4c3b445311c97b6a54c4e00ed4496bdb15d09274651495ac80 |
| SHA512 | 90d549487bab90655982339cd459077f385b377f4c56875f5b1ca6667905e0e14f5ee282417e990f322caf5b1d3d818957349172e4591a2370486b734116fef1 |
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | e08b44966543acbdb5444bbef1f6920e |
| SHA1 | 79d213780443d577968e8d583198ba27c8401d38 |
| SHA256 | 774f828165e7254f8e762044f940cb56e923e73b3b20a158997867bcb30b5cb7 |
| SHA512 | d641c7004c766187845e90e915ab22938ce178f1683df2778a1c80f24d36da80780eef54c294c51b0c8879e1970cfae168498c48535e8ff54a5bca6fd3e3e86b |
memory/2712-54-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/2712-50-0x00000000007F0000-0x00000000007F1000-memory.dmp
memory/4580-56-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4672-53-0x00000000020C0000-0x00000000020C1000-memory.dmp
memory/4856-57-0x00000000053A0000-0x00000000053C2000-memory.dmp
memory/4856-58-0x00000000046F0000-0x0000000004700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwbbv0y5.3ok.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/468-66-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4672-71-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/4856-65-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/4856-59-0x00000000055D0000-0x0000000005636000-memory.dmp
memory/4672-72-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/3848-74-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/3848-75-0x00000000006E0000-0x00000000006E1000-memory.dmp
memory/4856-73-0x0000000005920000-0x0000000005C74000-memory.dmp
memory/3848-76-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/4856-77-0x0000000005CC0000-0x0000000005CDE000-memory.dmp
memory/4856-78-0x0000000005CF0000-0x0000000005D3C000-memory.dmp
memory/468-79-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4332-83-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/4332-84-0x00000000021E0000-0x00000000021E1000-memory.dmp
memory/4332-86-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/2180-94-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4420-95-0x00000000006C0000-0x00000000006C1000-memory.dmp
memory/4420-96-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/4420-97-0x0000000000400000-0x00000000004FC000-memory.dmp
memory/3444-99-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/3444-98-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/4856-100-0x0000000006290000-0x00000000062C2000-memory.dmp
memory/3444-102-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/4856-114-0x00000000046F0000-0x0000000004700000-memory.dmp
memory/4856-113-0x000000007EF30000-0x000000007EF40000-memory.dmp
memory/4856-115-0x00000000046F0000-0x0000000004700000-memory.dmp
memory/4856-116-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/4856-112-0x0000000006270000-0x000000000628E000-memory.dmp
memory/4856-101-0x0000000070FC0000-0x000000007100C000-memory.dmp
memory/4856-117-0x0000000006E90000-0x0000000006F33000-memory.dmp
memory/4856-127-0x0000000007610000-0x0000000007C8A000-memory.dmp
memory/4856-128-0x0000000006FD0000-0x0000000006FEA000-memory.dmp
memory/4856-129-0x0000000007040000-0x000000000704A000-memory.dmp
memory/4856-130-0x0000000007270000-0x0000000007306000-memory.dmp
memory/4856-131-0x00000000071F0000-0x0000000007201000-memory.dmp
memory/3444-133-0x0000000070FC0000-0x000000007100C000-memory.dmp
memory/4856-134-0x00000000046F0000-0x0000000004700000-memory.dmp
memory/4580-132-0x0000000000400000-0x0000000000553000-memory.dmp
memory/3444-144-0x00000000024A0000-0x00000000024B0000-memory.dmp
memory/4856-145-0x0000000007220000-0x000000000722E000-memory.dmp
memory/2180-146-0x0000000000400000-0x0000000000553000-memory.dmp
memory/4856-148-0x0000000007230000-0x0000000007244000-memory.dmp
memory/4856-149-0x0000000007330000-0x000000000734A000-memory.dmp
memory/3100-153-0x0000000002070000-0x0000000002071000-memory.dmp
memory/4856-152-0x0000000007310000-0x0000000007318000-memory.dmp
memory/3100-154-0x00000000020E0000-0x00000000020E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bc8b13b8057a3a8b800b84afcd1b41f2 |
| SHA1 | 19fa5f22836888bae57d7e3b8fd50a1fc2a6cc08 |
| SHA256 | d0597ecbd247a35ab5997512b7f25ad7f8d764b82fde83b00cce45561a00932a |
| SHA512 | 14350e8112a314f1b17ebdae77a24334e1a26a0e5e547679c89882b16eef2cd57afd3c7cbde9d4c292d483f7de4d0dd7a47b99fe276c56d58fcdc5fb66a9d909 |
memory/4360-173-0x0000000000400000-0x0000000000553000-memory.dmp
memory/1272-192-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2836-211-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2624-232-0x0000000000400000-0x0000000000553000-memory.dmp
memory/220-251-0x0000000000400000-0x0000000000553000-memory.dmp