Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	wtfismyip.com	N/A	N/A
N/A	wtfismyip.com	N/A	N/A

Detected phishing page

phishing

Enumerates physical storage devices

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\timeout.exe	N/A

Enumerates system info in registry

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A

Suspicious behavior: AddClipboardFormatListener

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
Token: 33	N/A	C:\Windows\system32\AUDIODG.EXE	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\system32\AUDIODG.EXE	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\XClient.exe	N/A
N/A	N/A	C:\Program Files\VideoLAN\VLC\vlc.exe	N/A

Suspicious use of WriteProcessMemory

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8