Malware Analysis Report

2025-01-22 13:54

Sample ID 240226-2aadtsac5x
Target a77f9f8096b832ba68658b03c5410b22
SHA256 3684ae4716bf63da137d84df3b52dc186bd234087432fb19a4c62410a894a667
Tags
upx warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3684ae4716bf63da137d84df3b52dc186bd234087432fb19a4c62410a894a667

Threat Level: Known bad

The file a77f9f8096b832ba68658b03c5410b22 was found to be: Known bad.

Malicious Activity Summary

upx warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Drops startup file

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 22:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 22:22

Reported

2024-02-26 22:24

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\test.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2864 set thread context of 2656 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2616 set thread context of 2504 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2456 set thread context of 2716 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1384 set thread context of 1524 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1460 set thread context of 2932 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2232 set thread context of 3032 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1920 set thread context of 2844 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1928 set thread context of 944 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2000 set thread context of 3008 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2212 set thread context of 2128 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2532 set thread context of 3004 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1556 set thread context of 2696 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2708 set thread context of 2516 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2224 set thread context of 2936 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1484 set thread context of 1664 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 616 set thread context of 576 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 3040 set thread context of 1096 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2724 set thread context of 2992 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 1168 set thread context of 2196 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 636 set thread context of 2020 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2028 set thread context of 892 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData:ApplicationData C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1628 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1628 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1628 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2864 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2864 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2864 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2864 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2864 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2864 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2864 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2864 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2864 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2864 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2864 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2864 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2864 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2864 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2656 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\ProgramData\images.exe
PID 2656 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\ProgramData\images.exe
PID 2656 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\ProgramData\images.exe
PID 2656 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\ProgramData\images.exe
PID 2616 wrote to memory of 2436 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2616 wrote to memory of 2436 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2616 wrote to memory of 2436 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2616 wrote to memory of 2436 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2616 wrote to memory of 2436 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2616 wrote to memory of 2436 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 2616 wrote to memory of 2504 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2616 wrote to memory of 2504 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2616 wrote to memory of 2504 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2616 wrote to memory of 2504 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2704 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2704 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2704 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2704 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2616 wrote to memory of 2904 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2616 wrote to memory of 2904 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2616 wrote to memory of 2904 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2616 wrote to memory of 2904 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2456 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2456 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2456 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2456 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2456 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2456 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2456 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2456 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2456 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2456 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2456 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2456 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2456 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2456 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2904 wrote to memory of 1384 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2904 wrote to memory of 1384 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe

"C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe

test.exe

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2656 259406917

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2504 259410146

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2716 259411098

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1524 259413391

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2932 259415263

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3032 259417837

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2844 259419304

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 944 259420692

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3008 259422346

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2128 259423968

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 3004 259425357

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2696 259426839

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2516 259428508

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2936 259430473

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1664 259432236

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 576 259433968

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 1096 259435902

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2992 259437743

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2196 259439412

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 2020 259441144

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 892 259442860

Network

Country Destination Domain Proto
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp

Files

memory/2524-1-0x0000000000400000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 927f2eb4beb38d925b3f29888f4faa9e
SHA1 0de7008a074337d9437a145319681f608ac1baee
SHA256 042f3b72dd1f50e1d42935e31c8d8fd1dadd1c623f85440a47aafc29673e09e8
SHA512 d71132e1e7d238a57b3557596ab955639f82647388cd32ee40ab98a593242a6eef50b3b699d8374ddfc69774f5c4a3c47fce1c26e1065f0aa90a9818da859411

memory/2864-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2864-7-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2864-8-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2584-9-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2656-12-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2584-17-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2656-18-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2704-20-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2704-22-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2524-21-0x0000000000400000-0x0000000000C00000-memory.dmp

memory/2704-24-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2656-25-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2656-39-0x0000000000400000-0x0000000000553000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 636b8f2c82559d9a4702c3f50af41db2
SHA1 cb4d8436a38d5049a91df14aa5646ae158be4ccb
SHA256 d278992af9409018161845115c196b7d7faf1843a8138bae5d1e7b2136d8ed65
SHA512 29abf16150295310a97fcdd0614e2629b9e850479aa113e708b438bc6e3d3f0237cd24c94badd47a8599adea2575251ddd2963175819572eca90d4d95b5e8299

\Users\Admin\AppData\Local\Temp\test.exe

MD5 e045acd7da053280720f4404d1b19590
SHA1 cc7793f62f016e03bee235b2a2ad003525d3d89c
SHA256 07bdd44042e474dda49baeda2c97f053366c87e126ebd0c9f904b8096fbd3823
SHA512 7dfe155250ec0824ff16cb538d7cf6360bdee683958ba864682889003d9c00e5f7c3cf13bae831cc7695b274e9e25b69b64aaeee68974b6d58402d3f666838cf

memory/2616-52-0x0000000000400000-0x00000000004FC000-memory.dmp

C:\ProgramData\images.exe

MD5 d983fd0b78b5f0f5db285ee2b1b5c0a2
SHA1 80921be149a2b4997e90462465af5819283ecf72
SHA256 a0932c824bd008775cba6a164c14519641197a9d7c5f7a1630226805985f1591
SHA512 e4ad1787f10f2d1a336dad3b16bf6ac84ae6a92d09719a96ea0f030567d7399e7fe9300939ae68422190d15cd058378c1a33fc20b4f6ba9d74da399ebe18b1d2

C:\ProgramData\images.exe

MD5 91b28ca3de12a917cd682a16ff4c8fb1
SHA1 b8e1085711806046034dbedef31f1c8f81fcc80d
SHA256 3b452794db6bafcad6b1678343caa31305249be92e3c0e3e0acc583b00a78bb4
SHA512 613571338b07da13b35db21be39017980dc33a61d7b4e4b315239e5d62d65f62cc97a94665bb609a024743882332517e77f74d0c79e9214d8eefa57514e9ba31

memory/2616-44-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2616-42-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2504-56-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2456-57-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2456-59-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2456-61-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2904-64-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2904-66-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2504-71-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2752-77-0x0000000000400000-0x00000000004FC000-memory.dmp

C:\ProgramData

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2904-74-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2752-78-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2716-79-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2792-80-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2752-82-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2792-81-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/2792-83-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/2792-84-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2504-85-0x0000000000400000-0x0000000000553000-memory.dmp

memory/1384-89-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1384-92-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/1384-91-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1084-100-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1084-101-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/1524-102-0x0000000000400000-0x0000000000553000-memory.dmp

memory/1084-103-0x00000000003E0000-0x00000000003E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ef9528202cfc667b9d921d32fb20bd73
SHA1 1b59cbbc31c226b82bed7602dbaa95058d58dbaa
SHA256 a1574c2c5b9ff3e8da9d16148b9a11518544ac331d5ca827fbe2e247b6482267
SHA512 2bb1ddbb49b64aa7a85cbd6e6626e4cc95295fefb663203cce7b9bb53e3cc6fc5c171b51d9bd1377d9be07b2cdb2f6d92f9b9567fb9c26a3ea0c076e214e2842

memory/2268-109-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/2268-110-0x00000000023E0000-0x0000000002420000-memory.dmp

memory/2268-111-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/2268-112-0x00000000023E0000-0x0000000002420000-memory.dmp

memory/1524-113-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2792-118-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2716-117-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2792-120-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/1460-122-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1460-123-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/1460-125-0x0000000000690000-0x0000000000691000-memory.dmp

memory/1200-132-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2932-133-0x0000000000400000-0x0000000000553000-memory.dmp

memory/1200-134-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2792-136-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/1200-135-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2792-131-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2268-137-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/2792-138-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/2932-139-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2232-143-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2232-145-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2232-146-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2120-154-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3032-155-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2120-156-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2120-157-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/3032-158-0x0000000000400000-0x0000000000553000-memory.dmp

memory/1920-163-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/1920-166-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2844-173-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2848-174-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/1920-164-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2844-176-0x0000000000400000-0x0000000000553000-memory.dmp

C:\ProgramData\images.exe

MD5 1bb85dabf28324af9128aaa56b6ed285
SHA1 d6fe601514624be5c671415e3fb9378a0de37a63
SHA256 01fa5de76942c797e7b581036f985cbda1f7b70faeafaaaf7c8f84a472ffb79d
SHA512 fc2c924b45c260084d2fc4bdf64628d1906258fd68ae59001401c739029f6e4fd570af946f911a177f2a20ef3f5e284248a0a1cb4dd11d9e503ea81bcb8d1ebb

C:\ProgramData\images.exe

MD5 52627a572b33f868fefeefb94b9190d4
SHA1 9f41f71b092696defe4cf068389828b2632b9f7b
SHA256 67185fd41b66c02887794303c6d84ddf562ef870bca2da1d3731b8a93c4a2a71
SHA512 e18329b1f6af57da86fa19a607b8760ea97881e52740e68471d5b6a2ff0c5c5f36ebb670f7c80f9367d38016abeeed1aff66d3886937b6d4c6941d51c7b7269b

C:\ProgramData\images.exe

MD5 eb98b0b09972cac8ba1d085be1ed860a
SHA1 387139baa019568b698e1b5020a48f1b66bdf87f
SHA256 02c96d2669ab605259cfba92b8be216b77fca988da0ccadb18824552bbe68005
SHA512 40a589645d1b510a06b2605025e46db47e6688c1190b9bfd06acab61615bbe5660eb38a3de289be554e8bf97c2dee9e58768c84331cd768dccd1557a41c4efbf

C:\ProgramData\images.exe

MD5 e08b44966543acbdb5444bbef1f6920e
SHA1 79d213780443d577968e8d583198ba27c8401d38
SHA256 774f828165e7254f8e762044f940cb56e923e73b3b20a158997867bcb30b5cb7
SHA512 d641c7004c766187845e90e915ab22938ce178f1683df2778a1c80f24d36da80780eef54c294c51b0c8879e1970cfae168498c48535e8ff54a5bca6fd3e3e86b

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 22:22

Reported

2024-02-26 22:24

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\test.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\test.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs C:\Windows\SysWOW64\notepad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1480 set thread context of 4060 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4668 set thread context of 4580 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 2712 set thread context of 468 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4332 set thread context of 2180 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3100 set thread context of 4360 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4216 set thread context of 1272 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1472 set thread context of 2836 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2576 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 664 set thread context of 220 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1308 set thread context of 840 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 464 set thread context of 4072 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1416 set thread context of 1048 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4376 set thread context of 4132 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4856 set thread context of 5072 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 904 set thread context of 4116 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4676 set thread context of 5088 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4136 set thread context of 1988 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1072 set thread context of 2508 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1100 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2692 set thread context of 740 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1608 set thread context of 4948 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4356 set thread context of 2144 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 640 set thread context of 5020 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4200 set thread context of 3540 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4516 set thread context of 3644 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2920 set thread context of 1140 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4528 set thread context of 1116 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2248 set thread context of 1592 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4544 set thread context of 1812 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2904 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1980 set thread context of 2432 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2016 set thread context of 4280 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1684 set thread context of 5052 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3552 set thread context of 3360 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2772 set thread context of 5060 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2416 set thread context of 1324 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1424 set thread context of 3624 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4232 set thread context of 4956 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3348 set thread context of 3956 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4432 set thread context of 1940 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 944 set thread context of 4968 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2232 set thread context of 1124 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3344 set thread context of 1180 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 212 set thread context of 4264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2820 set thread context of 1564 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2772 set thread context of 3640 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 5008 set thread context of 1312 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2404 set thread context of 4104 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1236 set thread context of 2384 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1100 set thread context of 1308 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3340 set thread context of 804 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1892 set thread context of 2956 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4452 set thread context of 4344 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3500 set thread context of 1640 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4928 set thread context of 1784 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1884 set thread context of 1408 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 116 set thread context of 3684 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 5008 set thread context of 4300 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2532 set thread context of 2576 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1840 set thread context of 4640 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4544 set thread context of 664 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4808 set thread context of 2400 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1608 set thread context of 3492 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2232 set thread context of 3584 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData:ApplicationData C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\ProgramData\images.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 116 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 116 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1480 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 1480 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 1480 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 1480 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 1480 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 1480 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1480 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1480 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1480 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1480 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1480 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4060 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\ProgramData\images.exe
PID 4060 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\ProgramData\images.exe
PID 4060 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\ProgramData\images.exe
PID 4668 wrote to memory of 5088 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4668 wrote to memory of 5088 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4668 wrote to memory of 5088 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4668 wrote to memory of 5088 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4668 wrote to memory of 5088 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\notepad.exe
PID 4668 wrote to memory of 4580 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4668 wrote to memory of 4580 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4668 wrote to memory of 4580 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4668 wrote to memory of 4672 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4668 wrote to memory of 4672 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4668 wrote to memory of 4672 N/A C:\ProgramData\images.exe C:\ProgramData\images.exe
PID 4752 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4752 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4752 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2712 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2712 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2712 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2712 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2712 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 2712 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2712 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2712 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2712 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2712 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 2712 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3848 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3848 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 3848 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4332 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 4332 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 4332 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 4332 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 4332 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\SysWOW64\notepad.exe
PID 4332 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4332 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4332 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4332 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4332 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4332 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 4580 wrote to memory of 3444 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 3444 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe

"C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe

test.exe

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4060 240601328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe" 2 4580 240603906

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 468 240604406

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2180 240607031

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4360 240609984

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1272 240611593

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2836 240613031

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2624 240614453

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 220 240615796

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 840 240617203

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4072 240618531

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1048 240619875

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4132 240621281

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5072 240622671

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4116 240624078

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5088 240625375

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1988 240626609

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2508 240627906

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2660 240629062

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 740 240630312

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4948 240631562

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2144 240632687

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5020 240633921

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3540 240635140

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3644 240636312

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1140 240637468

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1116 240638671

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1592 240639875

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1812 240641015

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2844 240642265

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2432 240643531

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4280 240644812

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5052 240646000

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3360 240647156

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5060 240648359

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1324 240649625

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3624 240650828

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4956 240652140

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3956 240653281

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1940 240654562

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4968 240655734

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1124 240657000

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1180 240658187

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4264 240659406

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1564 240660656

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3640 240661781

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1312 240662921

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4104 240664062

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2384 240665359

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1308 240666546

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 804 240667687

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2956 240668828

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4344 240670046

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1640 240671359

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1784 240672640

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1408 240673796

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3684 240674953

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4300 240676125

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2576 240677250

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4640 240678406

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 664 240679515

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2400 240680718

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3492 240681890

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3584 240683046

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4484 240684234

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 448 240685484

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3304 240686656

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1668 240687843

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1220 240689093

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4000 240690296

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3884 240691562

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3232 240692812

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4912 240694000

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1560 240695171

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4940 240696406

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4372 240697562

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4532 240698859

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 216 240699984

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2952 240701140

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4832 240702390

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2052 240703531

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4656 240704828

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4792 240706015

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1840 240707250

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2248 240708453

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 64 240709625

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2232 240710750

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5056 240711921

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4144 240713078

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4364 240714234

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2476 240715375

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2360 240716562

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3876 240717671

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1072 240718828

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3952 240720093

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1976 240721328

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 5028 240722484

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1896 240723734

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1740 240724906

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4644 240726140

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3144 240727328

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3964 240728453

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2572 240729640

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4304 240730796

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4828 240732093

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 436 240733406

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2508 240734562

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1756 240735828

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2192 240737062

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 912 240738218

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4368 240739406

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3364 240740546

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2680 240741703

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1440 240742921

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 4836 240744156

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3500 240745421

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2864 240746578

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 380 240747828

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 3588 240749078

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe" 2 1980 240750203

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
MY 111.90.146.200:5200 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
MY 111.90.146.200:5200 tcp
MY 111.90.146.200:5200 tcp

Files

memory/3672-0-0x0000000000400000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 927f2eb4beb38d925b3f29888f4faa9e
SHA1 0de7008a074337d9437a145319681f608ac1baee
SHA256 042f3b72dd1f50e1d42935e31c8d8fd1dadd1c623f85440a47aafc29673e09e8
SHA512 d71132e1e7d238a57b3557596ab955639f82647388cd32ee40ab98a593242a6eef50b3b699d8374ddfc69774f5c4a3c47fce1c26e1065f0aa90a9818da859411

memory/1480-5-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/1480-6-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/1480-7-0x0000000002410000-0x0000000002411000-memory.dmp

memory/4060-8-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4264-10-0x0000000000930000-0x0000000000931000-memory.dmp

memory/4060-14-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4060-16-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3672-18-0x0000000000400000-0x0000000000C00000-memory.dmp

memory/4752-20-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4752-19-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/4752-17-0x0000000002160000-0x0000000002161000-memory.dmp

memory/4060-28-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4668-33-0x0000000000400000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs

MD5 90b614224692a9bd6e0adbfb37dd9cf1
SHA1 0cbb2d0467c777c3e841a917851cca254976ddd6
SHA256 c614d292879badb2f7f31497063b78356511b31368c148b7e9afc9556d48bacc
SHA512 bd8cd25fe6c4adc4ee0dd6f0ccb152349447125b9817bc84a85b9fbeff240aacae4776084ee09e3de520193e0cd19ce54e7669949334b9cc72a2763dbbfd5a05

memory/4580-35-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4668-34-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/4856-43-0x0000000004700000-0x0000000004736000-memory.dmp

memory/4856-41-0x00000000046F0000-0x0000000004700000-memory.dmp

memory/4856-46-0x0000000004D70000-0x0000000005398000-memory.dmp

memory/4856-45-0x0000000074FA0000-0x0000000075750000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.vbs

MD5 6b4f59023f5d6bc476dadd3e6f0c755c
SHA1 0103543d47ffa83eb1c0dfbab02dfb1c2325aa70
SHA256 5a602b409c616b4c3b445311c97b6a54c4e00ed4496bdb15d09274651495ac80
SHA512 90d549487bab90655982339cd459077f385b377f4c56875f5b1ca6667905e0e14f5ee282417e990f322caf5b1d3d818957349172e4591a2370486b734116fef1

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 e08b44966543acbdb5444bbef1f6920e
SHA1 79d213780443d577968e8d583198ba27c8401d38
SHA256 774f828165e7254f8e762044f940cb56e923e73b3b20a158997867bcb30b5cb7
SHA512 d641c7004c766187845e90e915ab22938ce178f1683df2778a1c80f24d36da80780eef54c294c51b0c8879e1970cfae168498c48535e8ff54a5bca6fd3e3e86b

memory/2712-54-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2712-50-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/4580-56-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4672-53-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/4856-57-0x00000000053A0000-0x00000000053C2000-memory.dmp

memory/4856-58-0x00000000046F0000-0x0000000004700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwbbv0y5.3ok.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/468-66-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4672-71-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/4856-65-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/4856-59-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/4672-72-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/3848-74-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/3848-75-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/4856-73-0x0000000005920000-0x0000000005C74000-memory.dmp

memory/3848-76-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/4856-77-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

memory/4856-78-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

memory/468-79-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4332-83-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/4332-84-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/4332-86-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/2180-94-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4420-95-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/4420-96-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/4420-97-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/3444-99-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/3444-98-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/4856-100-0x0000000006290000-0x00000000062C2000-memory.dmp

memory/3444-102-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/4856-114-0x00000000046F0000-0x0000000004700000-memory.dmp

memory/4856-113-0x000000007EF30000-0x000000007EF40000-memory.dmp

memory/4856-115-0x00000000046F0000-0x0000000004700000-memory.dmp

memory/4856-116-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/4856-112-0x0000000006270000-0x000000000628E000-memory.dmp

memory/4856-101-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/4856-117-0x0000000006E90000-0x0000000006F33000-memory.dmp

memory/4856-127-0x0000000007610000-0x0000000007C8A000-memory.dmp

memory/4856-128-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

memory/4856-129-0x0000000007040000-0x000000000704A000-memory.dmp

memory/4856-130-0x0000000007270000-0x0000000007306000-memory.dmp

memory/4856-131-0x00000000071F0000-0x0000000007201000-memory.dmp

memory/3444-133-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/4856-134-0x00000000046F0000-0x0000000004700000-memory.dmp

memory/4580-132-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3444-144-0x00000000024A0000-0x00000000024B0000-memory.dmp

memory/4856-145-0x0000000007220000-0x000000000722E000-memory.dmp

memory/2180-146-0x0000000000400000-0x0000000000553000-memory.dmp

memory/4856-148-0x0000000007230000-0x0000000007244000-memory.dmp

memory/4856-149-0x0000000007330000-0x000000000734A000-memory.dmp

memory/3100-153-0x0000000002070000-0x0000000002071000-memory.dmp

memory/4856-152-0x0000000007310000-0x0000000007318000-memory.dmp

memory/3100-154-0x00000000020E0000-0x00000000020E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bc8b13b8057a3a8b800b84afcd1b41f2
SHA1 19fa5f22836888bae57d7e3b8fd50a1fc2a6cc08
SHA256 d0597ecbd247a35ab5997512b7f25ad7f8d764b82fde83b00cce45561a00932a
SHA512 14350e8112a314f1b17ebdae77a24334e1a26a0e5e547679c89882b16eef2cd57afd3c7cbde9d4c292d483f7de4d0dd7a47b99fe276c56d58fcdc5fb66a9d909

memory/4360-173-0x0000000000400000-0x0000000000553000-memory.dmp

memory/1272-192-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2836-211-0x0000000000400000-0x0000000000553000-memory.dmp

memory/2624-232-0x0000000000400000-0x0000000000553000-memory.dmp

memory/220-251-0x0000000000400000-0x0000000000553000-memory.dmp