xworm | dc5f812fd7931f68b7c178ee741a9f39f53d7a50df2b7db3a04027079e2d3cb9

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

2.5MB
MD5

4d98901d7d0d7f62de6e076d955f1926
SHA1

e5a6e473f8b089171b7e79049c6d0ca6c5fb0ba3
SHA256

dc5f812fd7931f68b7c178ee741a9f39f53d7a50df2b7db3a04027079e2d3cb9
SHA512

c6795843377fdd44a5cee28a918788f6e6bc67b195d3018ee95313bc82bf96a787e934e56923bba5d5a22d7b42691a48f1ee858817773db44d28e456977b15f4
SSDEEP

49152:YZPjorfOAfRxx13BIq8IYpSqxN7XGQKoBaJ3RIrMQJZipKE1:YZkzD73i7pSqxNV5wQJwd1

Score

10^/10

xworm bootkit defense_evasion discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

cause-indexes.gl.at.ply.gg:17210

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00120000000054a9-11.dat	family_xworm
behavioral1/memory/2656-14-0x00000000009B0000-0x00000000009CA000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sydcxc.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1908	powershell.exe
644	powershell.exe
2864	powershell.exe
1824	powershell.exe
588	powershell.exe
1732	powershell.exe
1872	powershell.exe
2584	powershell.exe
2884	powershell.exe
2568	powershell.exe
1832	powershell.exe
2232	powershell.exe
2708	powershell.exe
1312	powershell.exe
2660	powershell.exe
960	powershell.exe
1316	powershell.exe
2572	powershell.exe
1816	powershell.exe
2844	powershell.exe
2556	powershell.exe
1524	powershell.exe
2092	powershell.exe
1652	powershell.exe
1684	powershell.exe
1560	powershell.exe
1784	powershell.exe
1308	powershell.exe
1032	powershell.exe
2132	powershell.exe
2792	powershell.exe
1092	powershell.exe
2020	powershell.exe
2572	powershell.exe
1792	powershell.exe
1716	powershell.exe
1080	powershell.exe
2668	powershell.exe
1796	powershell.exe
1604	powershell.exe
1640	powershell.exe
3052	powershell.exe
576	powershell.exe
2352	powershell.exe
3060	powershell.exe
2792	powershell.exe
1432	powershell.exe
1604	powershell.exe
1312	powershell.exe
2936	powershell.exe
2100	powershell.exe
900	powershell.exe
2692	powershell.exe
2056	powershell.exe
396	powershell.exe
2892	powershell.exe
2968	powershell.exe
1500	powershell.exe
1572	powershell.exe
1648	powershell.exe
860	powershell.exe
1240	powershell.exe
2168	powershell.exe
2468	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	sydcxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sydcxc.exe"	sydcxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	sydcxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sydcxc.exe"	sydcxc.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe

Executes dropped EXE 51 IoCs

pid	Process
2656	ratka.exe
3056	ratka.exe
1604	ratka.exe
2400	ratka.exe
2816	ratka.exe
2416	ratka.exe
2260	ratka.exe
2252	ratka.exe
1672	ratka.exe
2824	ratka.exe
2064	ratka.exe
1276	ratka.exe
2992	ratka.exe
2308	ratka.exe
2116	ratka.exe
2888	ratka.exe
2644	ratka.exe
1712	ratka.exe
404	ratka.exe
1644	ratka.exe
2836	ratka.exe
812	ratka.exe
2772	sydcxc.exe
2924	sydcxc.exe
1716	ratka.exe
2556	ratka.exe
2880	ratka.exe
2288	ratka.exe
1976	ratka.exe
636	ratka.exe
1052	ratka.exe
2892	ratka.exe
808	ratka.exe
1832	ratka.exe
1332	ratka.exe
852	ratka.exe
1652	ratka.exe
1556	ratka.exe
2936	ratka.exe
2600	ratka.exe
2120	ratka.exe
2724	ratka.exe
2136	ratka.exe
3060	ratka.exe
2684	ratka.exe
1692	ratka.exe
2848	ratka.exe
1364	ratka.exe
876	ratka.exe
3060	ratka.exe
1380	ratka.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	ratka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sydcxc.exe"	sydcxc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	ratka.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	ratka.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sydcxc.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	sydcxc.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-255-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2924-261-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2924-265-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-306-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-317-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-382-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-426-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-471-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-516-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-599-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-644-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2772-689-0x0000000000400000-0x00000000006D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sydcxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sydcxc.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2108	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1080	powershell.exe
2692	powershell.exe
2568	powershell.exe
2596	powershell.exe
2668	powershell.exe
1032	powershell.exe
2020	powershell.exe
1796	powershell.exe
2656	ratka.exe
2948	powershell.exe
940	powershell.exe
1824	powershell.exe
2376	powershell.exe
860	powershell.exe
2572	powershell.exe
3060	powershell.exe
2752	powershell.exe
2792	powershell.exe
2056	powershell.exe
1832	powershell.exe
1760	powershell.exe
2232	powershell.exe
1604	powershell.exe
2132	powershell.exe
2708	powershell.exe
560	powershell.exe
1764	powershell.exe
588	powershell.exe
2792	powershell.exe
1240	powershell.exe
1432	powershell.exe
1092	powershell.exe
1968	powershell.exe
1604	powershell.exe
2664	powershell.exe
2688	powershell.exe
1312	powershell.exe
1732	powershell.exe
824	powershell.exe
2020	powershell.exe
888	powershell.exe
2260	powershell.exe
2168	powershell.exe
2396	powershell.exe
2468	powershell.exe
396	powershell.exe
2572	powershell.exe
1312	powershell.exe
2892	powershell.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe
2772	sydcxc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	sydcxc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2656	ratka.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	3056	ratka.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2656	ratka.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1604	ratka.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2400	ratka.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	2816	ratka.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2416	ratka.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2260	ratka.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2252	ratka.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1672	ratka.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2824	ratka.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2064	ratka.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1276	ratka.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2992	ratka.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	2308	ratka.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2116	ratka.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2888	ratka.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2644	ratka.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1712	ratka.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	404	ratka.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1644	ratka.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2656	ratka.exe
2772	sydcxc.exe
2924	sydcxc.exe
2288	ratka.exe
2724	ratka.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1080	1484	BootstrapperNew.exe	31
PID 1484 wrote to memory of 1080	1484	BootstrapperNew.exe	31
PID 1484 wrote to memory of 1080	1484	BootstrapperNew.exe	31
PID 1484 wrote to memory of 2656	1484	BootstrapperNew.exe	33
PID 1484 wrote to memory of 2656	1484	BootstrapperNew.exe	33
PID 1484 wrote to memory of 2656	1484	BootstrapperNew.exe	33
PID 1484 wrote to memory of 2692	1484	BootstrapperNew.exe	34
PID 1484 wrote to memory of 2692	1484	BootstrapperNew.exe	34
PID 1484 wrote to memory of 2692	1484	BootstrapperNew.exe	34
PID 1484 wrote to memory of 2868	1484	BootstrapperNew.exe	36
PID 1484 wrote to memory of 2868	1484	BootstrapperNew.exe	36
PID 1484 wrote to memory of 2868	1484	BootstrapperNew.exe	36
PID 2868 wrote to memory of 2568	2868	BootstrapperNew.exe	37
PID 2868 wrote to memory of 2568	2868	BootstrapperNew.exe	37
PID 2868 wrote to memory of 2568	2868	BootstrapperNew.exe	37
PID 2656 wrote to memory of 2668	2656	ratka.exe	39
PID 2656 wrote to memory of 2668	2656	ratka.exe	39
PID 2656 wrote to memory of 2668	2656	ratka.exe	39
PID 2868 wrote to memory of 3056	2868	BootstrapperNew.exe	41
PID 2868 wrote to memory of 3056	2868	BootstrapperNew.exe	41
PID 2868 wrote to memory of 3056	2868	BootstrapperNew.exe	41
PID 2868 wrote to memory of 2596	2868	BootstrapperNew.exe	42
PID 2868 wrote to memory of 2596	2868	BootstrapperNew.exe	42
PID 2868 wrote to memory of 2596	2868	BootstrapperNew.exe	42
PID 2656 wrote to memory of 1032	2656	ratka.exe	44
PID 2656 wrote to memory of 1032	2656	ratka.exe	44
PID 2656 wrote to memory of 1032	2656	ratka.exe	44
PID 2868 wrote to memory of 2796	2868	BootstrapperNew.exe	46
PID 2868 wrote to memory of 2796	2868	BootstrapperNew.exe	46
PID 2868 wrote to memory of 2796	2868	BootstrapperNew.exe	46
PID 2656 wrote to memory of 2020	2656	ratka.exe	47
PID 2656 wrote to memory of 2020	2656	ratka.exe	47
PID 2656 wrote to memory of 2020	2656	ratka.exe	47
PID 2656 wrote to memory of 1796	2656	ratka.exe	49
PID 2656 wrote to memory of 1796	2656	ratka.exe	49
PID 2656 wrote to memory of 1796	2656	ratka.exe	49
PID 2796 wrote to memory of 2948	2796	BootstrapperNew.exe	51
PID 2796 wrote to memory of 2948	2796	BootstrapperNew.exe	51
PID 2796 wrote to memory of 2948	2796	BootstrapperNew.exe	51
PID 2796 wrote to memory of 1604	2796	BootstrapperNew.exe	53
PID 2796 wrote to memory of 1604	2796	BootstrapperNew.exe	53
PID 2796 wrote to memory of 1604	2796	BootstrapperNew.exe	53
PID 2796 wrote to memory of 940	2796	BootstrapperNew.exe	54
PID 2796 wrote to memory of 940	2796	BootstrapperNew.exe	54
PID 2796 wrote to memory of 940	2796	BootstrapperNew.exe	54
PID 2796 wrote to memory of 1780	2796	BootstrapperNew.exe	56
PID 2796 wrote to memory of 1780	2796	BootstrapperNew.exe	56
PID 2796 wrote to memory of 1780	2796	BootstrapperNew.exe	56
PID 1780 wrote to memory of 1824	1780	BootstrapperNew.exe	57
PID 1780 wrote to memory of 1824	1780	BootstrapperNew.exe	57
PID 1780 wrote to memory of 1824	1780	BootstrapperNew.exe	57
PID 1780 wrote to memory of 2400	1780	BootstrapperNew.exe	59
PID 1780 wrote to memory of 2400	1780	BootstrapperNew.exe	59
PID 1780 wrote to memory of 2400	1780	BootstrapperNew.exe	59
PID 1780 wrote to memory of 2376	1780	BootstrapperNew.exe	60
PID 1780 wrote to memory of 2376	1780	BootstrapperNew.exe	60
PID 1780 wrote to memory of 2376	1780	BootstrapperNew.exe	60
PID 1780 wrote to memory of 276	1780	BootstrapperNew.exe	62
PID 1780 wrote to memory of 276	1780	BootstrapperNew.exe	62
PID 1780 wrote to memory of 276	1780	BootstrapperNew.exe	62
PID 276 wrote to memory of 860	276	BootstrapperNew.exe	64
PID 276 wrote to memory of 860	276	BootstrapperNew.exe	64
PID 276 wrote to memory of 860	276	BootstrapperNew.exe	64
PID 276 wrote to memory of 2816	276	BootstrapperNew.exe	66

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	sydcxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sydcxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	sydcxc.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\ratka.exe
  "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ratka.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\sydcxc.exe
    "C:\Users\Admin\AppData\Local\Temp\sydcxc.exe"
    3⤵
    - UAC bypass
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Users\Admin\AppData\Local\Temp\ratka.exe
    "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\ratka.exe
      "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:940
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:276
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        6⤵
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        7⤵
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        8⤵
        
        PID:992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        9⤵
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        10⤵
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        11⤵
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        12⤵
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        13⤵
        
        PID:1676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        14⤵
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        15⤵
        
        PID:1288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        16⤵
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        17⤵
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        18⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        19⤵
        
        PID:1300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        20⤵
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        21⤵
        
        PID:2312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        22⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        22⤵
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        23⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        23⤵
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        24⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        24⤵
        
        PID:1676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        25⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        25⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        25⤵
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        26⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        26⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        26⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        26⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        27⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ratka.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC429.tmp.bat""
        28⤵
        
        PID:1104
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        29⤵
        Delays execution with timeout.exe
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        27⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        27⤵
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        28⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        28⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        28⤵
        
        PID:2024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        29⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        29⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        29⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        29⤵
        
        PID:896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        30⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        30⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        30⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        30⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        31⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        31⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        31⤵
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        32⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        32⤵
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        33⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        33⤵
        
        PID:2220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        34⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        34⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        34⤵
        
        PID:2704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        35⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        35⤵
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        36⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        36⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        36⤵
        
        PID:2696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        37⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        37⤵
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        38⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        38⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        38⤵
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        39⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        39⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        39⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        39⤵
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        40⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        40⤵
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        41⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        41⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        42⤵
        
        PID:2696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ratka.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        42⤵
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        41⤵
        
        PID:1080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        42⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        42⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        42⤵
        
        PID:892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        43⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        43⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        43⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        43⤵
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        44⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        44⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        44⤵
        
        PID:276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        45⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        45⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        45⤵
        
        PID:2508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        46⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        46⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        46⤵
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        47⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        47⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        47⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        48⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        48⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        48⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        48⤵
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        49⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        49⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        49⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        49⤵
        
        PID:856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        50⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        50⤵
        
        PID:2512

C:\Users\Admin\AppData\Local\Temp\sydcxc.exe
C:\Users\Admin\AppData\Local\Temp\sydcxc.exe explorer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ratka.exe

Filesize
80KB

MD5
39ffa7b287f2d822703a6deea560dcbd

SHA1
34ae6406ec73ad02955cb7676b37489fdab1695b

SHA256
9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05

SHA512
7efa49f3c9ba846d6382e7683d64a5b00232c459028a177b07c0e4f28f06682bd3a219421a355515766007bee9e0dfcce5e243afba73290487057542a644cc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC429.tmp.bat

Filesize
157B

MD5
511851e142b04a987fa0abea1757336a

SHA1
34a8bcee6683c0e16ed33b7895d8e4189197c084

SHA256
793340f981d9c2d9f4764786598f510fac99ada5dfc72b38262fc353e9edf6a7

SHA512
3340f7357baa71ec8a8745ea43314eac98a444efa5b0fad8ca50e58c31efe7375c1539761ec9381cd1c4678fca09b4409e643cabfa3137648373755db5bcd1b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
277635f8e302feae94523e8a553dade4

SHA1
4ddf4292b683434ed087adcc4271b2e4f8ebbe7a

SHA256
97d76a5ac49aee76b9010ee2bf6eed8e0e8143438c89479cb1d02faca338d88f

SHA512
28df1193a241caad10f37cc38698769c44b57c6794993138cb87d6e224c4063bded55c265e3cb0f7d8f5908375e29f17464ef11e067f79dfb7ca8030acaa7bcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
df06bdbd85ca14619d3d678a853569e5

SHA1
2d29390236f3a09cc469606d8833b84b2d62705d

SHA256
ee44b2ef44f5ed51b1e8767257e88f4eb1c8fafee0747c7987370885b1b3ea61

SHA512
ccd8e1cbd7ec739bbe1fd10b97b30cbd0151962f5c15765fbd4c9356bdbbd420c817fde33cfd2606813c7524b6cfcdff3b7ed05b9074b6da886bee1203cb9bfb

Download Submit
memory/860-85-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/860-84-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/1080-8-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1080-7-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1080-6-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/1484-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1484-1-0x0000000001290000-0x0000000001514000-memory.dmp

Filesize
2.5MB

Download
memory/1560-263-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/1560-262-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1640-270-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/1640-271-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2656-14-0x00000000009B0000-0x00000000009CA000-memory.dmp

Filesize
104KB

Download
memory/2656-251-0x000000001A710000-0x000000001A71C000-memory.dmp

Filesize
48KB

Download
memory/2692-20-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2692-21-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2772-516-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-255-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-306-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-317-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-382-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-426-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-471-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-599-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-644-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2772-689-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2844-405-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2924-265-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2924-261-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download