xworm | 3b0edfc4834e5e6e0d71cdb38b150d9a8c457dd3d9a6ce180bba01615e2da3d0

Analysis

max time kernel
251s
max time network
270s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/03/2025, 15:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

2.5MB
MD5

12c778168de4cb227283338609cce591
SHA1

dd8226c477ac4a4d86c1d79dd66b8f82752b408d
SHA256

3b0edfc4834e5e6e0d71cdb38b150d9a8c457dd3d9a6ce180bba01615e2da3d0
SHA512

b0872ad258ad8edc68313b481ea091333d05b35ac3a17b912cd6b77ac77e6d1e7fb2ddd3be6c851761285fe1f69292b5dc781823dddca77f180d500c7d0322fe
SSDEEP

49152:VZPjorfOAfRxx13BIq8IYpSqxN7XGQKoBaJ3RIrMQJZipKE1p:VZkzD73i7pSqxNV5wQJwd1p

Score

10^/10

xworm bootkit defense_evasion discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

cause-indexes.gl.at.ply.gg:17210

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000027dc9-24.dat	family_xworm
behavioral1/memory/3552-35-0x00000000005F0000-0x000000000060A000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fwuvzd.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
708	powershell.exe
3096	powershell.exe
4392	powershell.exe
712	powershell.exe
1540	powershell.exe
4476	powershell.exe
672	powershell.exe
2564	powershell.exe
2156	powershell.exe
2004	powershell.exe
2468	powershell.exe
1556	powershell.exe
3660	powershell.exe
3504	powershell.exe
4708	powershell.exe
3292	powershell.exe
3512	powershell.exe
3012	powershell.exe
1704	powershell.exe
4676	powershell.exe
2916	powershell.exe
4912	powershell.exe
2932	powershell.exe
1876	powershell.exe
1992	powershell.exe
544	powershell.exe
2164	powershell.exe
4300	powershell.exe
1156	powershell.exe
2004	powershell.exe
1376	powershell.exe
2220	powershell.exe
1852	powershell.exe
3196	powershell.exe
3668	powershell.exe
1648	powershell.exe
2872	powershell.exe
1724	powershell.exe
2548	powershell.exe
4336	powershell.exe
1696	powershell.exe
1652	powershell.exe
1664	powershell.exe
4528	powershell.exe
4600	powershell.exe
2320	powershell.exe
2816	powershell.exe
4052	powershell.exe
1184	powershell.exe
4964	powershell.exe
2384	powershell.exe
3340	powershell.exe
3980	powershell.exe
2064	powershell.exe
4776	powershell.exe
1304	powershell.exe
3924	powershell.exe
3172	powershell.exe
4344	powershell.exe
1624	powershell.exe
4316	powershell.exe
3856	powershell.exe
1132	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	fwuvzd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwuvzd.exe"	fwuvzd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	fwuvzd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwuvzd.exe"	fwuvzd.exe

Checks computer location settings 2 TTPs 60 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	fwuvzd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 60 IoCs

pid	Process
3552	XClient.exe
4880	XClient.exe
3604	XClient.exe
2316	XClient.exe
3252	XClient.exe
4440	XClient.exe
3440	XClient.exe
540	XClient.exe
1568	XClient.exe
4348	XClient.exe
1156	XClient.exe
4776	XClient.exe
4580	XClient.exe
1112	XClient.exe
3880	XClient.exe
4396	XClient.exe
4528	XClient.exe
1872	XClient.exe
2104	XClient.exe
4256	XClient.exe
3404	XClient.exe
2764	XClient.exe
4708	XClient.exe
116	XClient.exe
2856	XClient.exe
3672	XClient.exe
4768	XClient.exe
4580	XClient.exe
776	XClient.exe
3028	XClient.exe
1028	XClient.exe
4584	XClient.exe
3840	XClient.exe
4472	XClient.exe
2164	XClient.exe
4596	XClient.exe
1776	XClient.exe
3876	XClient.exe
5032	XClient.exe
2940	XClient.exe
1032	XClient.exe
4392	XClient.exe
3340	XClient.exe
1744	XClient.exe
4324	XClient.exe
4360	XClient.exe
2760	XClient.exe
1752	XClient.exe
1368	XClient.exe
4876	XClient.exe
2648	XClient.exe
756	XClient.exe
3176	XClient.exe
4352	XClient.exe
2844	XClient.exe
2856	fwuvzd.exe
3716	fwuvzd.exe
376	XClient.exe
2884	XClient.exe
4948	XClient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fwuvzd.exe"	fwuvzd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fwuvzd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	fwuvzd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0067000000027df4-1232.dat	upx
behavioral1/memory/2856-1237-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/3716-1248-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/3716-1250-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2856-1302-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2856-1310-0x0000000000400000-0x00000000006D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwuvzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwuvzd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	powershell.exe
2020	powershell.exe
2716	powershell.exe
2716	powershell.exe
1664	powershell.exe
1664	powershell.exe
3400	powershell.exe
3400	powershell.exe
4460	powershell.exe
4460	powershell.exe
388	powershell.exe
388	powershell.exe
2384	powershell.exe
2384	powershell.exe
3552	XClient.exe
1452	powershell.exe
1452	powershell.exe
544	powershell.exe
544	powershell.exe
1192	powershell.exe
1192	powershell.exe
752	powershell.exe
752	powershell.exe
4764	powershell.exe
4764	powershell.exe
1560	powershell.exe
1560	powershell.exe
1704	powershell.exe
1704	powershell.exe
4380	powershell.exe
4380	powershell.exe
2056	powershell.exe
2056	powershell.exe
4364	powershell.exe
4364	powershell.exe
464	powershell.exe
464	powershell.exe
2684	powershell.exe
2684	powershell.exe
4444	powershell.exe
4444	powershell.exe
4344	powershell.exe
4344	powershell.exe
2040	powershell.exe
2040	powershell.exe
4644	powershell.exe
4644	powershell.exe
2564	powershell.exe
2564	powershell.exe
3340	powershell.exe
3340	powershell.exe
3688	powershell.exe
3688	powershell.exe
4676	powershell.exe
4676	powershell.exe
3712	powershell.exe
3712	powershell.exe
3004	powershell.exe
3004	powershell.exe
4528	powershell.exe
4528	powershell.exe
5044	powershell.exe
5044	powershell.exe
708	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeIncreaseQuotaPrivilege	2020	powershell.exe
Token: SeSecurityPrivilege	2020	powershell.exe
Token: SeTakeOwnershipPrivilege	2020	powershell.exe
Token: SeLoadDriverPrivilege	2020	powershell.exe
Token: SeSystemProfilePrivilege	2020	powershell.exe
Token: SeSystemtimePrivilege	2020	powershell.exe
Token: SeProfSingleProcessPrivilege	2020	powershell.exe
Token: SeIncBasePriorityPrivilege	2020	powershell.exe
Token: SeCreatePagefilePrivilege	2020	powershell.exe
Token: SeBackupPrivilege	2020	powershell.exe
Token: SeRestorePrivilege	2020	powershell.exe
Token: SeShutdownPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeSystemEnvironmentPrivilege	2020	powershell.exe
Token: SeRemoteShutdownPrivilege	2020	powershell.exe
Token: SeUndockPrivilege	2020	powershell.exe
Token: SeManageVolumePrivilege	2020	powershell.exe
Token: 33	2020	powershell.exe
Token: 34	2020	powershell.exe
Token: 35	2020	powershell.exe
Token: 36	2020	powershell.exe
Token: SeDebugPrivilege	3552	XClient.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe
Token: 36	2716	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeIncreaseQuotaPrivilege	1664	powershell.exe
Token: SeSecurityPrivilege	1664	powershell.exe
Token: SeTakeOwnershipPrivilege	1664	powershell.exe
Token: SeLoadDriverPrivilege	1664	powershell.exe
Token: SeSystemProfilePrivilege	1664	powershell.exe
Token: SeSystemtimePrivilege	1664	powershell.exe
Token: SeProfSingleProcessPrivilege	1664	powershell.exe
Token: SeIncBasePriorityPrivilege	1664	powershell.exe
Token: SeCreatePagefilePrivilege	1664	powershell.exe
Token: SeBackupPrivilege	1664	powershell.exe
Token: SeRestorePrivilege	1664	powershell.exe
Token: SeShutdownPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeSystemEnvironmentPrivilege	1664	powershell.exe
Token: SeRemoteShutdownPrivilege	1664	powershell.exe
Token: SeUndockPrivilege	1664	powershell.exe
Token: SeManageVolumePrivilege	1664	powershell.exe
Token: 33	1664	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3552	XClient.exe
2856	fwuvzd.exe
3716	fwuvzd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2020	2540	BootstrapperNew.exe	80
PID 2540 wrote to memory of 2020	2540	BootstrapperNew.exe	80
PID 2540 wrote to memory of 3552	2540	BootstrapperNew.exe	86
PID 2540 wrote to memory of 3552	2540	BootstrapperNew.exe	86
PID 2540 wrote to memory of 2716	2540	BootstrapperNew.exe	87
PID 2540 wrote to memory of 2716	2540	BootstrapperNew.exe	87
PID 2540 wrote to memory of 2460	2540	BootstrapperNew.exe	90
PID 2540 wrote to memory of 2460	2540	BootstrapperNew.exe	90
PID 3552 wrote to memory of 1664	3552	XClient.exe	92
PID 3552 wrote to memory of 1664	3552	XClient.exe	92
PID 2460 wrote to memory of 3400	2460	BootstrapperNew.exe	94
PID 2460 wrote to memory of 3400	2460	BootstrapperNew.exe	94
PID 3552 wrote to memory of 4460	3552	XClient.exe	96
PID 3552 wrote to memory of 4460	3552	XClient.exe	96
PID 2460 wrote to memory of 4880	2460	BootstrapperNew.exe	98
PID 2460 wrote to memory of 4880	2460	BootstrapperNew.exe	98
PID 2460 wrote to memory of 388	2460	BootstrapperNew.exe	99
PID 2460 wrote to memory of 388	2460	BootstrapperNew.exe	99
PID 3552 wrote to memory of 2384	3552	XClient.exe	101
PID 3552 wrote to memory of 2384	3552	XClient.exe	101
PID 3552 wrote to memory of 3812	3552	XClient.exe	103
PID 3552 wrote to memory of 3812	3552	XClient.exe	103
PID 2460 wrote to memory of 4440	2460	BootstrapperNew.exe	104
PID 2460 wrote to memory of 4440	2460	BootstrapperNew.exe	104
PID 4440 wrote to memory of 1452	4440	BootstrapperNew.exe	107
PID 4440 wrote to memory of 1452	4440	BootstrapperNew.exe	107
PID 4440 wrote to memory of 3604	4440	BootstrapperNew.exe	109
PID 4440 wrote to memory of 3604	4440	BootstrapperNew.exe	109
PID 4440 wrote to memory of 544	4440	BootstrapperNew.exe	110
PID 4440 wrote to memory of 544	4440	BootstrapperNew.exe	110
PID 4440 wrote to memory of 4348	4440	BootstrapperNew.exe	113
PID 4440 wrote to memory of 4348	4440	BootstrapperNew.exe	113
PID 4348 wrote to memory of 1192	4348	BootstrapperNew.exe	115
PID 4348 wrote to memory of 1192	4348	BootstrapperNew.exe	115
PID 4348 wrote to memory of 2316	4348	BootstrapperNew.exe	117
PID 4348 wrote to memory of 2316	4348	BootstrapperNew.exe	117
PID 4348 wrote to memory of 752	4348	BootstrapperNew.exe	118
PID 4348 wrote to memory of 752	4348	BootstrapperNew.exe	118
PID 4348 wrote to memory of 4668	4348	BootstrapperNew.exe	120
PID 4348 wrote to memory of 4668	4348	BootstrapperNew.exe	120
PID 4668 wrote to memory of 4764	4668	BootstrapperNew.exe	121
PID 4668 wrote to memory of 4764	4668	BootstrapperNew.exe	121
PID 4668 wrote to memory of 3252	4668	BootstrapperNew.exe	123
PID 4668 wrote to memory of 3252	4668	BootstrapperNew.exe	123
PID 4668 wrote to memory of 1560	4668	BootstrapperNew.exe	124
PID 4668 wrote to memory of 1560	4668	BootstrapperNew.exe	124
PID 4668 wrote to memory of 3840	4668	BootstrapperNew.exe	126
PID 4668 wrote to memory of 3840	4668	BootstrapperNew.exe	126
PID 3840 wrote to memory of 1704	3840	BootstrapperNew.exe	127
PID 3840 wrote to memory of 1704	3840	BootstrapperNew.exe	127
PID 3840 wrote to memory of 4440	3840	BootstrapperNew.exe	129
PID 3840 wrote to memory of 4440	3840	BootstrapperNew.exe	129
PID 3840 wrote to memory of 4380	3840	BootstrapperNew.exe	130
PID 3840 wrote to memory of 4380	3840	BootstrapperNew.exe	130
PID 3840 wrote to memory of 2932	3840	BootstrapperNew.exe	132
PID 3840 wrote to memory of 2932	3840	BootstrapperNew.exe	132
PID 2932 wrote to memory of 2056	2932	BootstrapperNew.exe	134
PID 2932 wrote to memory of 2056	2932	BootstrapperNew.exe	134
PID 2932 wrote to memory of 3440	2932	BootstrapperNew.exe	136
PID 2932 wrote to memory of 3440	2932	BootstrapperNew.exe	136
PID 2932 wrote to memory of 4364	2932	BootstrapperNew.exe	137
PID 2932 wrote to memory of 4364	2932	BootstrapperNew.exe	137
PID 2932 wrote to memory of 1300	2932	BootstrapperNew.exe	139
PID 2932 wrote to memory of 1300	2932	BootstrapperNew.exe	139

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fwuvzd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fwuvzd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	fwuvzd.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe
    "C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe"
    3⤵
    - UAC bypass
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c TASKKILL /F /FI "Imagename ne fwuvzd.exe" /FI "USERNAME eq %USERNAME%
      4⤵
      PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3400
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      4⤵
      Executes dropped EXE
      PID:3604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:544
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        5⤵
        Executes dropped EXE
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        6⤵
        Executes dropped EXE
        
        PID:3252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        7⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        8⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        8⤵
        Checks computer location settings
        
        PID:1300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        9⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        9⤵
        Checks computer location settings
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        10⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        10⤵
        Checks computer location settings
        
        PID:3208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        11⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        11⤵
        Checks computer location settings
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        12⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        12⤵
        Checks computer location settings
        
        PID:1228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        13⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        13⤵
        Checks computer location settings
        
        PID:3316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        14⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        14⤵
        Checks computer location settings
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        15⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        15⤵
        Checks computer location settings
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        16⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        16⤵
        Checks computer location settings
        
        PID:236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        17⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        17⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        17⤵
        Checks computer location settings
        
        PID:8
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        18⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        18⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        18⤵
        Checks computer location settings
        
        PID:5044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        19⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        19⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        19⤵
        Checks computer location settings
        
        PID:5032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        20⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        20⤵
        Checks computer location settings
        
        PID:1308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        21⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        21⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        21⤵
        Checks computer location settings
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        22⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        22⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        22⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        22⤵
        Checks computer location settings
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        23⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        23⤵
        Checks computer location settings
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        24⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        24⤵
        Checks computer location settings
        
        PID:2952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        25⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        25⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        25⤵
        Checks computer location settings
        
        PID:948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        26⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        26⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        26⤵
        Checks computer location settings
        
        PID:3208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        27⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        27⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        27⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        27⤵
        Checks computer location settings
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        28⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        28⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        28⤵
        Checks computer location settings
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        29⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        29⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        29⤵
        Checks computer location settings
        
        PID:4272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        30⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        30⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        30⤵
        Checks computer location settings
        
        PID:1360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        31⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        31⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        31⤵
        Checks computer location settings
        
        PID:232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        32⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        32⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        32⤵
        Checks computer location settings
        
        PID:4860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        33⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        33⤵
        Checks computer location settings
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        34⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        34⤵
        Checks computer location settings
        
        PID:1116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        35⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        35⤵
        Checks computer location settings
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        36⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        36⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        36⤵
        Checks computer location settings
        
        PID:4900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        37⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        37⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        37⤵
        Checks computer location settings
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        38⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        38⤵
        Checks computer location settings
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        39⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        39⤵
        Checks computer location settings
        
        PID:464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        40⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        40⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        40⤵
        Checks computer location settings
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        41⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        41⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        41⤵
        Checks computer location settings
        
        PID:4412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        42⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        42⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        42⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        42⤵
        Checks computer location settings
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        43⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        43⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        43⤵
        Checks computer location settings
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        44⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        44⤵
        Checks computer location settings
        
        PID:3304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        45⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        45⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        45⤵
        Checks computer location settings
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        46⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        46⤵
        Checks computer location settings
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        47⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        47⤵
        Checks computer location settings
        
        PID:1272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        48⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        48⤵
        Checks computer location settings
        
        PID:3452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        49⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        49⤵
        Checks computer location settings
        
        PID:2316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        50⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        50⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        50⤵
        Checks computer location settings
        
        PID:1116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        51⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        51⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        51⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        51⤵
        Checks computer location settings
        
        PID:2032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        52⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        52⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        52⤵
        Checks computer location settings
        
        PID:240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        53⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        53⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        53⤵
        Checks computer location settings
        
        PID:1632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        54⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        54⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        54⤵
        Checks computer location settings
        
        PID:3864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        55⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        55⤵
        Checks computer location settings
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        56⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        56⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        56⤵
        Checks computer location settings
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        57⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        57⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        57⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        57⤵
        Checks computer location settings
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        58⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        58⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        58⤵
        Checks computer location settings
        
        PID:4284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        59⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        59⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        59⤵
        
        PID:4344

C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe
C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe explorer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperNew.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e78029926f09dd649c9e22d3363a196

SHA1
a0fac93ccc3505d9e6857b88f407eab164e49c34

SHA256
139b33af77e785669116fa61214dc8d959944a478e718ad3e90cb4f52bf32b1c

SHA512
5335f3eaad27499d9ecb6f3ec42e3c84d2293eeb2f3d64a72ce42a3d4ebf54793b9c179e39119bd27656c366deae946e231070cb5a00f09e2e7101e908f93039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dece17e8b3d1cc0b29cf5a977b68730e

SHA1
e24e56624c7701b349a5a07642e9b9d902196f55

SHA256
1f78459e977340a708884f6f42099ad6914a855ee98cba6c09bbb2b56dbaa908

SHA512
8a966a00209f43ebc4051c3433aa12ce4e9a2f85acfb428f87fc7fd222549085c115df2372cbc29836a926950a38400a68e29c6f89c8f237a14c7833a92eb8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f30fecdba307b8ccf949db4333c045c5

SHA1
e627bf6975d2281a809475bbd85d4d057e995531

SHA256
9e3d1038a48c2eddcfdc50fa8832ad5f06cd1fdf095ab7afc7f3b6a817eb9dc2

SHA512
64054c2b92004de674575eedaf91c958fcab41508aea074a79bcdc0428ee7357784a21138f61129305f6d8ec2110619624387422df08ee4eb436a89395b88702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
61d3041ee4a5b61df98145d9d2cdd603

SHA1
114be44a52f4ef601419fe6c263f1986c38e87fd

SHA256
69407efa02fcc993b202e147192fa3448996a8998d11150d9a613e0719266bca

SHA512
dfd778377868d40d1710e2d79092e44731458af2dac8bd7664ec053e98b30613310406ef6306d207eba34031f6f9abf490093dbffd1e9f37dde72c74b00ae8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ee22c2a6dfbb5c4d69e870c61baf578

SHA1
3dfc40ec0b6179ff033f7bc3881d613eca8c41e0

SHA256
9d628164de0a3d86bf2e2e815b12f2ea76eaee342ec55bc5e2b988da2cda2973

SHA512
2dc7ea4e4ecce06cd171f08d71f064983d08432779bd670b51f651d5df6e294e7c6d292e25241bdbb6367fe26ae041fd955ee6a5da5c990bf3ab211d7a6f1e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a2581ce25d27c89853a8c5e60aeac6f

SHA1
d3f5bfaa9b6c89915dbc46be9aa6e49a7eeb2ce7

SHA256
5609b0664d3e47ce6611cbca5b25caa6b2321fdbddbfd7efe5a38da6dacb27fc

SHA512
198a3644eb4ee261f558b9e248eb6f1fe59704aa31524983e866e39bb3c534cf776bc276ce786c0b855da23ea827e816453755bc01e3d8ae3e3cf965914e70c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c47722271a294ddbbd40a7291d6e6e8

SHA1
5aa70d8563cb788c243eaad08bfbd48f37ac92b5

SHA256
8382357e092ecaab856ac120574d132dc2fe8042b9b4e51a8954ebf44478c569

SHA512
3a62bc96c6b2efba502a19ffc427893fdb0536da5caadd5336579329dd283d99f409bb0259b68a21601de77d47f850e3ab00cb9bdd0a97d1c0cdf0d2b2a03247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
452e60ef28961bb887ae86b5ac76daca

SHA1
04be9209a5d0e211a421bd9dc760708f6d98bf77

SHA256
7fdc29cae80b887d2c2820beb80f9eb69124e8109486ffe0d4608578c6732270

SHA512
13943bd2bfa8552410ee2d5053f407f630aebe5b76d75b61b47e3ee0f87fca78bc0203cff48d5c57c4dc546129ee743edfaad0c58d607e1737695b0663f7238e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08233c4350849b90bddbc8323ffd677e

SHA1
837c074387c9b780e07973ca3faceae647c57002

SHA256
c7b22dbaa90e9d5978dd1525617184fe112e4cc0b0d0079ae12f67e8b2f78a2e

SHA512
d35f40e2d4bc7cb53c354c8de12774d6e21d2f4e6345d8a5adccb3cefb19fc2eb558a30970b596bea12416116a0429e2b83414f090f30631e8041ac242f7ac37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b3535ddbe4680f9099871b91aeb5093b

SHA1
5c247f7fd7a9338d8a6e77423126367cd7eed0d9

SHA256
07a72ef478987c28ac6b34ef3da31869c36cc2ed7300ecab574289ea23d3059f

SHA512
377eacb739acf39b545988ea4e238703bdbd20db419896d357843f0c4046c521fd6e8defb460d8fd2ec2ca739d4763f4df8034b187101b375144c05835d909b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5610479b0267b580718d11daa524f97e

SHA1
6cf984286a0ce73ac20b49668da41ebe40a4a582

SHA256
8430b789b1f29e34a250f735c21bde5fdf206d20b3a26b1e7fd91313396e5133

SHA512
f9bb31070fb6e7b28f9a2a30135a94f8e7945b39f2ef1b08b8a9bd1ad86f4276be41d1bb60f19fac51993ea20512a652845d498afa71879085b33a64fd9572db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0e225e60e2eb7fd8818d4957e44f409c

SHA1
cfdceb8dd32485a818215e8f7abaaadf5e3fcb89

SHA256
44bb6c4ed470a068a973e17b3aa50ee7e837562cbe8b44564585461d03f8632d

SHA512
4b5e538ddb1968c4b088d89100a7b128805c6214ade709d87ae86206f6c2fdbef4c87e794ea2882ab7b11872e4941039c2e85a7fe73291e7f27374887a785938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2e52eb0fc269c79f8ba999fb17a76a0

SHA1
f99d55d893983204d1605786f5a7be2f75a4513f

SHA256
080ecf3b418b703b5e1450b5fae424a60d1524f6b4ca733aa0494db752b6aa83

SHA512
430af6a12712cb62267b79288ca394d8f550e89b8e345edb70f0301921f1e14418a0aa5983cf44c37f2f6bb847cb4ed2e9c72ade0422612d7500de0b7da9da9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f520befe20466581f75ccf29b069b9b0

SHA1
93e44c33725dc43953ae9088c8db6e17bfcc039b

SHA256
a0fc414bd8c6c7ee1814319986266b69b326acc226b0b80bb89a52ea3fc73fcd

SHA512
644d4da32718d5359d8aee95fb788238e39723bbef0a74210b0bcf5d8d807af1f0eefc9d003ac65e4b374cd5e02dc5ddc8479ffbee1496321a0b63ed91e961fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
86efc939211739872b7cdfc6e8e8f4ca

SHA1
69eba4fb9376e127d4bacf0e3b1136e4095a0678

SHA256
f7c968aea93281682df23105d0003582040404f3ce111d9f7a92f0fed2b648cb

SHA512
7341cd3efdad6115eff6effe620dfd17968d7bcb5a4098a24781d2fb2ecf6dc9dd3b5d24c58c66be0e1dbbd1d7f957ed0a01b8d866bf2ff6fe0c7db1b23e6524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6295bb545ca53db93da977581c6c2bd1

SHA1
669f36c0a0d4bd44232a99a0e840eeb793d0d4a2

SHA256
00c4028686adb4fb93f041a89af83bb8044be17b47d03cbf133279215983ddb0

SHA512
97efa3a4d2da51c0e113cda4780ded949c25c14d3371a9a3dacbf7f60b2fd289bd68297c15a71a0c7f3521bd463de22f17c8166185d0c7fd535805ba0de178a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a79266519c38f55a2a451456761349ae

SHA1
3900165ecc2d9869d832abbf1c4faf69c16825cd

SHA256
236d4a65c633420a940a663e81ba6757c9e8485431840eeaaf72d54921e35527

SHA512
35ef4ca1d5fda08941185909188d3b6500d5c7c1667070be994ad6531cada52eb7f9adfc86b6a428f161cee33b0ef584a68d625409a01896feb44d0ef6d9d0aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d34902bd5814627c49e67322f6b75e06

SHA1
7f2740f73e0cbc52b68f473cfd6b29b8eef4de00

SHA256
8202765a46c1c44294bf15b2bce55b3d06b2b3fb564e57adc60f0da220dd8524

SHA512
59502f238375d2e78d9e2818baa358fdb6728cd44a493b95e2c9d795cce684858599fa115da07c030c307448ef05127741f74909d6b519b3260dbc65d3a4b603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2879755c37735aee79eb6b06e5952f3f

SHA1
8f7e6f73f2ee82022bd93633a1d914d65a6fd2a2

SHA256
00de7e1a55a4bd2fbf8c0ec30d7a1f626a638e88aa03629046190d9391717ad1

SHA512
ebda3165400670f533f3b52703c6b443597bb36d7891806a86542b1cd56b7fa8cd859beaf7251ceb17ac4d1c6326562efea1d6355ac583688bdf59aef2aea0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9df054aeff1753593722c7a7ff98f72e

SHA1
fee5a7a3c8e1e374590b3abe890ff1633e924e48

SHA256
6bcb26e899fcf3b1080957451362d9541ba415526d4cb4e0043ef3378238e83d

SHA512
71c3c36819dcc914a1b9da738f86cde0a2f22d8db43b39636432ba7ccc4bc9cb36195ca6b10beb63a2652a666d50e7fd410be1865a5003692db8f29021a2a134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dad1429017d79cc23990a034068fd001

SHA1
7afb908c503d0f674375f214a5b0bc1650223138

SHA256
7ea408e33a6e64f8c4dcc60ddc4262962099f6e5d407d8e60faaf8422d12cfa8

SHA512
484fd2d85b97b7e22745c6ffb3da9f37a8d539a18eeb5cb7782674d276c1050eda6513e32a7ef963df84c9f65ad1a5cd0128e1b1def4b9cdb02e62740a7b655a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ade3d75dc3ee3ab8be30208b1d6897a

SHA1
bcf28d349b98a81d9e7f793fbab95c4170eb4080

SHA256
599c001bc38e201de9f5c9169a7b6c000d0bce83f102e32a2201c3d57204e629

SHA512
ecea635251dd07516e6249aa396718647126c7738f87d2e9cb0aa0d71da0d614c2cab42ef86585652f132689e990fce77d1dc3c543b4d9538d2b50a41c771477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c198ae786be473f8e5f616eb04303e3

SHA1
f8f467481cc2d09807b35d3204d0deb18a1a1e05

SHA256
88611f8d87b1dd28930a927b04840229bf5ce85989441ea41ab9ca7e1abfcde4

SHA512
9b3a754d5214cdc16720c3768b1a740ce6856c5630ecebdae7c366898bf6c4a955e58dad254f2498f5b4ce935eafe3681a011c3d5260888ca7f81513a63b7384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
860b6a25e4b29f37d34502a3a1a41ab9

SHA1
bd6a3df843c83d1654ad99f749ea53fd3c0498b7

SHA256
e4e6c182d7f03de2859fd8f1dca9bdafc129aff10aea0fdab2838987366f1a7c

SHA512
5582b8b44ae8c258731185f2a18d21d5796c6d9830b4d508a6504a0fc0a21914650a87876276fc3fe301bf1fb238b57d7d8e1134f93c124883ba54c779786548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddfe00947873a3379f5a54112681a8b6

SHA1
c18b3a9a337b6378c05df10031bce0c140afe9cb

SHA256
6f85f6463e8abdb2b4022736efd008fc1c4ef65af598ba0d5f8539cd97ccd443

SHA512
4cff096866ad9d7078375267f9e16f5d9e7d46b59a7d2e9a86a3fdd3b42099a4ee1e36da722075ab76e05acfdf2108de80e9f65b296266d8109bedced3d3db6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aff1d0c14ec86ba9b1c7d11a1aa7149a

SHA1
1c38e783bad5d697f5d06a1b2b68453afdb74aab

SHA256
ee838eee6d357b656da75c3b7eab407ec6ad054503ba3966ea9227381f3fbb64

SHA512
b9d2b56c04983e0d4e079ca2a485e6bd7a42b8852343d9ad0f701f117d879995f7dc8a21f8b5eb35d8cd65214d737fa8205a0d5c5410ab37d4fd3defdc18cf78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aea5cb7f27e89fb59360d49b1a005291

SHA1
32483bba5b0cf77c9aa13139ba1c8e9397ffab75

SHA256
50a967b462520910e3283fe2b7d1d319746ae4bbc86fa02fe4a3b76c4331e161

SHA512
e3a80d49e2089bf9702ba12abc58b26a8ef26390efe6c84b687525ed3c0e30792ddd5ab3f68a22d8229caff4f542879e936e218d81237571475671095bdf1aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b8d2d7341fac8d35fa755729194e3ef

SHA1
b65ffa75a1ff11823e199d58d7bcb6e4db676f4a

SHA256
30474baec13c8ee0044744970237c89c677afd85605bba382b3036fa9755becb

SHA512
a6a0d06a2f289816c222541b865c502e8d5bb2ea0951a934e0a8de1e01375ce2a2fdf88dfb33c022c7e933d31f7c0373c3d21d3f3fb548bcd98ff0d19725be1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fad8d1990817e24bc6450bd1d4bec79a

SHA1
dae57f12d25b76be3cdf4ee26fd1cd19ab17cbc7

SHA256
4a1d48ee6e771e23a1621a89440e620395eee096b94130cbe9f71e1d48c6d798

SHA512
356068114e4d1b7a98920dc6328e554ff10e97e148502d89bd27f778d26a7118f184959ec17f8f8eab4fc1cda5287471591e6ec8250cbc0df41002c201e4947f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed3fbbc4763882f0c0061ce387a8672b

SHA1
96a781d1d87ccd55b888d876e57d54580382295c

SHA256
eabf81e01768129873189fee196224596abdada0cd32280283a698544d05c5b5

SHA512
3d81ac2c1522498223c907bb718cf80a98d0d3f71e99b501d2a970abfb0b69277da6a72659270effcb47cebd2dd368dc7cbdf1807d1ffa25b849f901ce8c9c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0d30412f09ce1c11ed183dc49a074fe

SHA1
e2d50421b5e8494dbdb9f70a9899ae63e6248dab

SHA256
0cfba9fdaf9758922eba04f35100a53e44f66c580a7b7f9a5109035f7280d1e7

SHA512
3c390902effea6803c17015fd18a3893a0d508a135a34698a02e83378ab525e5d51240a789be360573bf041459e2dca0b2489c71a1dcbca374efe6dd383cc3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
118a3ffd276a8a67bbab96f2aaa4552d

SHA1
9080bb0ba67168dad5972de08184a6eef1db69c5

SHA256
ee88bad1d25df71e58d063133d9e24fafcdc8466b342408e14d901ef63940476

SHA512
2839c82652a60aa232e30e4d131991c593bb330b674b7206b97da743cc1dc3407b61f407dc6a983c77ecec0065c1cfde34ddd3bf623b816c6d999c7d5b88c6d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b2ad3f4ee2bcd9dc9ba704acd6d5cec

SHA1
a5e217f0531a66133b2e555ee8c52840dc561ffe

SHA256
b755e4cf5f29bf05c008ccf618ff075dff48d226c84136d156b9e8e5f001c23b

SHA512
ee198abc6bc39d1956844eede59cbe0ae4272a3c3791ca5f6ba459e54f6a78d52feac82a06143317201dc80afd630874c15d3c09671980bb7c92dabaa45c35a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9228e36530a252a1ccc26846ca0c22f

SHA1
0ea5ec429eaebdba0763a30286d437044a0ec9e2

SHA256
29575cae463cb609f58c55a94ec2a4551c5b19c9e0c13938cb22d73eaa9cad8a

SHA512
ea9abf940b2900b2693aaa8c8f6b8c8d1d6714cb14604bc473f76ea6cd0179bf5fec8479a1419e66697dc2a06e432d252c63859d1eb38654e206d54c851f7b38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
202cde9a269f24d656c556bf7a75427b

SHA1
cb23c8c6c5cc72434afa5b223de3cec3f4ae4b2d

SHA256
1f59fb0172cebef5a200f5b0a302a74d0627158af940b02d974320c7f67c1813

SHA512
2473ef763ad010e79304fe1adf5e541facef9374b7631415a5ffa5586c0b2f9fe729b34d690e81c6b884654e46f2080c502b3e799fd54343687cd6d569a0b12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df598b7bb01cd0243a8f0e2f6de4a69e

SHA1
77f29c0c6b765b5b7a375dff963efe3481f7c056

SHA256
90583240ad75ec422f5449d4312202c76812936fd4ecac1013e175d1c44a26e0

SHA512
67340ba1722d6b9e7169ea5dbbd76c2ab246a371633da64489ecbac15428fd2ac264aca48c1315e5d0536f954f177c783b6e9dc3c290349b8d63a6b8529c7da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cba5fbb29555ba4a84593006ec8b71b1

SHA1
45c8b473ea7fb6bc5514d36db08916f869533e89

SHA256
91a2ef1732dd1ba9fcbc7fcae1ef7a971c3c4413d316336fea331cf5a150ef1a

SHA512
d8e2bc0b5a270028b90a2d225ff11acd17173dda0ee9f85185c2dc0362e2fd6da531ae759f3d837724ff9bccac27a70176214881bd58770c3d463eaca98e4a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc070b84858970d2d068d57a0f2a2fd6

SHA1
99a138dcf3a681fa733f62a598755d426183924b

SHA256
a00abeefa80d7739f7b17150ab757eb6aa7f931da89d8137902c89bf7b1fdcd9

SHA512
6d736b0158940774d292b9f5991d517e5cd5b455741bbb6a4aae4468a546d6768f8d39a0bf9fdd6bcae692059c7f57b35d6b4d9e18418071bfc405eb115ad94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1fdd77cb12693ba80efbe8a5463b34b0

SHA1
a28daa287556525ef8d54f4244fac761b9be9dc3

SHA256
03075f33cfb3ba600a7312a2c6ed5a26dd2e2d210913f70a471f1a120e501891

SHA512
e635f719d5e4a3a394ef348e5324c4e407427f00354e0ba9bc7cd25a3e966ecbd045211141a2c3156d1caf4459fd813b772595e74df06426bc9fd884e7e0f7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2bcwblzc.dbx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe

Filesize
1.7MB

MD5
6e628c5531010f1053fff090a7699659

SHA1
237e5b8870092dd0e9a3b0fb76da93fcfce56516

SHA256
52d65a486dd027d9d6e3ca10ea808815ff0fda4e5032695333b7c2d5a5f95e41

SHA512
53eb023d70038b2820a6c0ed0a453307f90b22279e521fa8af3b6ef240ce022300a1d05794bf02d52f472c5adeb87c814373c5e29b3f13102c0128af06d5f0e7

Download Submit
memory/1184-1311-0x00000211B4D00000-0x00000211B4F86000-memory.dmp

Filesize
2.5MB

Download
memory/1184-1309-0x00000211B5140000-0x00000211B580A000-memory.dmp

Filesize
6.8MB

Download
memory/1184-1307-0x000002119BB10000-0x000002119BB46000-memory.dmp

Filesize
216KB

Download
memory/2020-16-0x00007FFBB7AB0000-0x00007FFBB8572000-memory.dmp

Filesize
10.8MB

Download
memory/2020-8-0x000002E8C7220000-0x000002E8C7242000-memory.dmp

Filesize
136KB

Download
memory/2020-12-0x00007FFBB7AB0000-0x00007FFBB8572000-memory.dmp

Filesize
10.8MB

Download
memory/2020-13-0x00007FFBB7AB0000-0x00007FFBB8572000-memory.dmp

Filesize
10.8MB

Download
memory/2020-14-0x00007FFBB7AB0000-0x00007FFBB8572000-memory.dmp

Filesize
10.8MB

Download
memory/2020-15-0x00007FFBB7AB0000-0x00007FFBB8572000-memory.dmp

Filesize
10.8MB

Download
memory/2020-19-0x00007FFBB7AB0000-0x00007FFBB8572000-memory.dmp

Filesize
10.8MB

Download
memory/2540-0-0x00007FFBB7AB3000-0x00007FFBB7AB5000-memory.dmp

Filesize
8KB

Download
memory/2540-1-0x0000000000CE0000-0x0000000000F64000-memory.dmp

Filesize
2.5MB

Download
memory/2540-50-0x00007FFBB7AB0000-0x00007FFBB8572000-memory.dmp

Filesize
10.8MB

Download
memory/2540-34-0x00007FFBB7AB0000-0x00007FFBB8572000-memory.dmp

Filesize
10.8MB

Download
memory/2856-1310-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2856-1237-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2856-1302-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3552-1187-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download
memory/3552-35-0x00000000005F0000-0x000000000060A000-memory.dmp

Filesize
104KB

Download
memory/3716-1248-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3716-1250-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/4948-1304-0x000000001B4F0000-0x000000001BA20000-memory.dmp

Filesize
5.2MB

Download
memory/4948-1308-0x000000001B2D0000-0x000000001B44C000-memory.dmp

Filesize
1.5MB

Download
memory/4948-1306-0x000000001BA20000-0x000000001BD86000-memory.dmp

Filesize
3.4MB

Download
memory/4948-1305-0x000000001B060000-0x000000001B0FC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads