xworm | 16fa4a9b4898751c6ee4428f8b365fe3301b8f477ae12790e16a62acb149ac88

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

765KB
MD5

6bdeb48089f5812a21bef4226697c748
SHA1

7c39058e8ef2c5c34f9718bfd0d92f448fcc7dd4
SHA256

16fa4a9b4898751c6ee4428f8b365fe3301b8f477ae12790e16a62acb149ac88
SHA512

00ebc44550e86b2c98079dc033b0f45cec7787708d69e283a64adfdd9250e1a3ef02b4c6d9da4fe3dc29c2e3648d9cfdcc19fcad4b1214384a19421c9f13eb53
SSDEEP

12288:d7+FWC3IYQ1QdzfREFLfkiiUh7X6hXw9l9wkBEnemOB+pTF2vi4LU8oK7MLpX/51:L2vZlQfkiiUhj6yH93OnedswvHYNdX/y

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

us1.localto.net:38447

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00050000000230d8-9.dat	family_xworm
behavioral2/memory/5000-17-0x0000000000DE0000-0x0000000000DFA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2280	powershell.exe
4488	powershell.exe
4972	powershell.exe
3884	powershell.exe

Checks computer location settings 2 TTPs 60 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Builder.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
5104	Builder.exe
5000	svchost.exe
2828	Builder.exe
2420	svchost.exe
2192	Builder.exe
1576	svchost.exe
1256	Builder.exe
2644	svchost.exe
1268	Builder.exe
4420	svchost.exe
4880	Builder.exe
4320	svchost.exe
2752	Builder.exe
3592	svchost.exe
1808	Builder.exe
4184	svchost.exe
2476	Builder.exe
2676	svchost.exe
3436	Builder.exe
5032	svchost.exe
2812	Builder.exe
3428	svchost.exe
2416	Builder.exe
2324	svchost.exe
2704	Builder.exe
5076	svchost.exe
2168	Builder.exe
1456	svchost.exe
4164	Builder.exe
4268	svchost.exe
2928	Builder.exe
4332	svchost.exe
3380	Builder.exe
4424	svchost.exe
1124	Builder.exe
4660	svchost.exe
3424	Builder.exe
2220	svchost.exe
3888	Builder.exe
3412	svchost.exe
2856	Builder.exe
4288	svchost.exe
1596	Builder.exe
556	svchost.exe
2908	Builder.exe
448	svchost.exe
216	Builder.exe
1452	svchost.exe
4364	Builder.exe
2168	svchost.exe
3576	Builder.exe
4164	svchost.exe
2752	Builder.exe
1752	svchost.exe
3640	Builder.exe
2296	svchost.exe
4184	Builder.exe
3380	svchost.exe
3144	Builder.exe
1124	svchost.exe
3112	Builder.exe
2472	svchost.exe
2940	Builder.exe
2224	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5000	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2280	powershell.exe
2280	powershell.exe
4488	powershell.exe
4488	powershell.exe
4972	powershell.exe
4972	powershell.exe
3884	powershell.exe
3884	powershell.exe
5000	svchost.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	svchost.exe
Token: SeDebugPrivilege	2420	svchost.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	1576	svchost.exe
Token: SeDebugPrivilege	2644	svchost.exe
Token: SeDebugPrivilege	4420	svchost.exe
Token: SeDebugPrivilege	4320	svchost.exe
Token: SeDebugPrivilege	3592	svchost.exe
Token: SeDebugPrivilege	4184	svchost.exe
Token: SeDebugPrivilege	2676	svchost.exe
Token: SeDebugPrivilege	5032	svchost.exe
Token: SeDebugPrivilege	3428	svchost.exe
Token: SeDebugPrivilege	2324	svchost.exe
Token: SeDebugPrivilege	5076	svchost.exe
Token: SeDebugPrivilege	1456	svchost.exe
Token: SeDebugPrivilege	4268	svchost.exe
Token: SeDebugPrivilege	4332	svchost.exe
Token: SeDebugPrivilege	4424	svchost.exe
Token: SeDebugPrivilege	4660	svchost.exe
Token: SeDebugPrivilege	2220	svchost.exe
Token: SeDebugPrivilege	3412	svchost.exe
Token: SeDebugPrivilege	4288	svchost.exe
Token: SeDebugPrivilege	556	svchost.exe
Token: SeDebugPrivilege	448	svchost.exe
Token: SeDebugPrivilege	1452	svchost.exe
Token: SeDebugPrivilege	2168	svchost.exe
Token: SeDebugPrivilege	4164	svchost.exe
Token: SeDebugPrivilege	1752	svchost.exe
Token: SeDebugPrivilege	2296	svchost.exe
Token: SeDebugPrivilege	3380	svchost.exe
Token: SeDebugPrivilege	1124	svchost.exe
Token: SeDebugPrivilege	2472	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	2684	svchost.exe
Token: SeDebugPrivilege	4656	svchost.exe
Token: SeDebugPrivilege	1596	svchost.exe
Token: SeDebugPrivilege	1364	svchost.exe
Token: SeDebugPrivilege	1336	svchost.exe
Token: SeDebugPrivilege	4536	svchost.exe
Token: SeDebugPrivilege	3052	svchost.exe
Token: SeDebugPrivilege	4228	svchost.exe
Token: SeDebugPrivilege	4820	svchost.exe
Token: SeDebugPrivilege	3672	svchost.exe
Token: SeDebugPrivilege	3432	svchost.exe
Token: SeDebugPrivilege	884	svchost.exe
Token: SeDebugPrivilege	2260	svchost.exe
Token: SeDebugPrivilege	4296	svchost.exe
Token: SeDebugPrivilege	1960	svchost.exe
Token: SeDebugPrivilege	4900	svchost.exe
Token: SeDebugPrivilege	3384	svchost.exe
Token: SeDebugPrivilege	4176	svchost.exe
Token: SeDebugPrivilege	3880	svchost.exe
Token: SeDebugPrivilege	4928	svchost.exe
Token: SeDebugPrivilege	5036	svchost.exe
Token: SeDebugPrivilege	2896	svchost.exe
Token: SeDebugPrivilege	2752	svchost.exe
Token: SeDebugPrivilege	816	svchost.exe
Token: SeDebugPrivilege	3360	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5000	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 5104	4676	Builder.exe	87
PID 4676 wrote to memory of 5104	4676	Builder.exe	87
PID 4676 wrote to memory of 5000	4676	Builder.exe	88
PID 4676 wrote to memory of 5000	4676	Builder.exe	88
PID 5104 wrote to memory of 2828	5104	Builder.exe	94
PID 5104 wrote to memory of 2828	5104	Builder.exe	94
PID 5104 wrote to memory of 2420	5104	Builder.exe	95
PID 5104 wrote to memory of 2420	5104	Builder.exe	95
PID 5000 wrote to memory of 2280	5000	svchost.exe	98
PID 5000 wrote to memory of 2280	5000	svchost.exe	98
PID 5000 wrote to memory of 4488	5000	svchost.exe	100
PID 5000 wrote to memory of 4488	5000	svchost.exe	100
PID 5000 wrote to memory of 4972	5000	svchost.exe	102
PID 5000 wrote to memory of 4972	5000	svchost.exe	102
PID 5000 wrote to memory of 3884	5000	svchost.exe	104
PID 5000 wrote to memory of 3884	5000	svchost.exe	104
PID 2828 wrote to memory of 2192	2828	Builder.exe	106
PID 2828 wrote to memory of 2192	2828	Builder.exe	106
PID 2828 wrote to memory of 1576	2828	Builder.exe	107
PID 2828 wrote to memory of 1576	2828	Builder.exe	107
PID 2192 wrote to memory of 1256	2192	Builder.exe	111
PID 2192 wrote to memory of 1256	2192	Builder.exe	111
PID 2192 wrote to memory of 2644	2192	Builder.exe	112
PID 2192 wrote to memory of 2644	2192	Builder.exe	112
PID 1256 wrote to memory of 1268	1256	Builder.exe	117
PID 1256 wrote to memory of 1268	1256	Builder.exe	117
PID 1256 wrote to memory of 4420	1256	Builder.exe	118
PID 1256 wrote to memory of 4420	1256	Builder.exe	118
PID 1268 wrote to memory of 4880	1268	Builder.exe	119
PID 1268 wrote to memory of 4880	1268	Builder.exe	119
PID 1268 wrote to memory of 4320	1268	Builder.exe	120
PID 1268 wrote to memory of 4320	1268	Builder.exe	120
PID 4880 wrote to memory of 2752	4880	Builder.exe	121
PID 4880 wrote to memory of 2752	4880	Builder.exe	121
PID 4880 wrote to memory of 3592	4880	Builder.exe	122
PID 4880 wrote to memory of 3592	4880	Builder.exe	122
PID 2752 wrote to memory of 1808	2752	Builder.exe	123
PID 2752 wrote to memory of 1808	2752	Builder.exe	123
PID 2752 wrote to memory of 4184	2752	Builder.exe	124
PID 2752 wrote to memory of 4184	2752	Builder.exe	124
PID 1808 wrote to memory of 2476	1808	Builder.exe	125
PID 1808 wrote to memory of 2476	1808	Builder.exe	125
PID 1808 wrote to memory of 2676	1808	Builder.exe	126
PID 1808 wrote to memory of 2676	1808	Builder.exe	126
PID 2476 wrote to memory of 3436	2476	Builder.exe	127
PID 2476 wrote to memory of 3436	2476	Builder.exe	127
PID 2476 wrote to memory of 5032	2476	Builder.exe	128
PID 2476 wrote to memory of 5032	2476	Builder.exe	128
PID 3436 wrote to memory of 2812	3436	Builder.exe	129
PID 3436 wrote to memory of 2812	3436	Builder.exe	129
PID 3436 wrote to memory of 3428	3436	Builder.exe	130
PID 3436 wrote to memory of 3428	3436	Builder.exe	130
PID 2812 wrote to memory of 2416	2812	Builder.exe	133
PID 2812 wrote to memory of 2416	2812	Builder.exe	133
PID 2812 wrote to memory of 2324	2812	Builder.exe	134
PID 2812 wrote to memory of 2324	2812	Builder.exe	134
PID 2416 wrote to memory of 2704	2416	Builder.exe	135
PID 2416 wrote to memory of 2704	2416	Builder.exe	135
PID 2416 wrote to memory of 5076	2416	Builder.exe	136
PID 2416 wrote to memory of 5076	2416	Builder.exe	136
PID 2704 wrote to memory of 2168	2704	Builder.exe	138
PID 2704 wrote to memory of 2168	2704	Builder.exe	138
PID 2704 wrote to memory of 1456	2704	Builder.exe	139
PID 2704 wrote to memory of 1456	2704	Builder.exe	139

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\Builder.exe
    "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\Builder.exe
      "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        34⤵
        Checks computer location settings
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        35⤵
        Checks computer location settings
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        36⤵
        Checks computer location settings
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        37⤵
        Checks computer location settings
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        38⤵
        Checks computer location settings
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        39⤵
        Checks computer location settings
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        40⤵
        Checks computer location settings
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        41⤵
        Checks computer location settings
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        42⤵
        Checks computer location settings
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        43⤵
        Checks computer location settings
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        44⤵
        Checks computer location settings
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        45⤵
        Checks computer location settings
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        46⤵
        Checks computer location settings
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        47⤵
        Checks computer location settings
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        48⤵
        Checks computer location settings
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        49⤵
        Checks computer location settings
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        50⤵
        Checks computer location settings
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        51⤵
        Checks computer location settings
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        52⤵
        Checks computer location settings
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        53⤵
        Checks computer location settings
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        54⤵
        Checks computer location settings
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        55⤵
        Checks computer location settings
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        56⤵
        Checks computer location settings
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        57⤵
        Checks computer location settings
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        58⤵
        Checks computer location settings
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        59⤵
        Checks computer location settings
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
        60⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        60⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        46⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
      - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1576
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Builder.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
359d1e37a264703c99ebd01eed362de5

SHA1
a1122c8bf9848b3371cd191ba540864204d1d845

SHA256
5781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07

SHA512
ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d9289f73405fc7bade4762436a627b0c

SHA1
2c413920212b285f39ba41a393d9dfffc90f2ca5

SHA256
88d90847196bf6fc6a8fd339d6f1fa31adc369eeb40efb83b24fe7160409ee2c

SHA512
dd1aa15aa6ed51582394c5638b2d03711305c5314f9f0b09765a86a646bbb9406183d7d4b0764701c8142064dc0e53c7029c1ac983a78e36ae3c50eb0b8a8f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Builder.exe

Filesize
765KB

MD5
6bdeb48089f5812a21bef4226697c748

SHA1
7c39058e8ef2c5c34f9718bfd0d92f448fcc7dd4

SHA256
16fa4a9b4898751c6ee4428f8b365fe3301b8f477ae12790e16a62acb149ac88

SHA512
00ebc44550e86b2c98079dc033b0f45cec7787708d69e283a64adfdd9250e1a3ef02b4c6d9da4fe3dc29c2e3648d9cfdcc19fcad4b1214384a19421c9f13eb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_abu3lzji.ffx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
79KB

MD5
f629ec7b4e150c2cdef2b5bd6271f929

SHA1
82b0e98320c49a56bd9602727710bba2107f5b33

SHA256
253a04ae35f1454afc908b4f4ce914d8cc3dda43ff2b723a71d556b54305e4f1

SHA512
4bb27be38f345854b2e767dca9022fcdc8af1521d15e9c1d0a14478f4300d8b652b667b31c903a7eef8efc1ae6915df08ee23b5ff43ad3c68618a1a58b59249e

Download Submit
memory/2280-35-0x000002739D270000-0x000002739D292000-memory.dmp

Filesize
136KB

Download
memory/4676-20-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/4676-0-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download
memory/4676-2-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/4676-1-0x0000000000230000-0x00000000002F6000-memory.dmp

Filesize
792KB

Download
memory/5000-19-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/5000-17-0x0000000000DE0000-0x0000000000DFA000-memory.dmp

Filesize
104KB

Download
memory/5000-81-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/5104-21-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/5104-25-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/5104-18-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download