xworm | dc5f812fd7931f68b7c178ee741a9f39f53d7a50df2b7db3a04027079e2d3cb9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

2.5MB
MD5

4d98901d7d0d7f62de6e076d955f1926
SHA1

e5a6e473f8b089171b7e79049c6d0ca6c5fb0ba3
SHA256

dc5f812fd7931f68b7c178ee741a9f39f53d7a50df2b7db3a04027079e2d3cb9
SHA512

c6795843377fdd44a5cee28a918788f6e6bc67b195d3018ee95313bc82bf96a787e934e56923bba5d5a22d7b42691a48f1ee858817773db44d28e456977b15f4
SSDEEP

49152:YZPjorfOAfRxx13BIq8IYpSqxN7XGQKoBaJ3RIrMQJZipKE1:YZkzD73i7pSqxNV5wQJwd1

Score

10^/10

xworm bootkit defense_evasion discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

cause-indexes.gl.at.ply.gg:17210

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a00000001e68d-22.dat	family_xworm
behavioral2/memory/1868-30-0x0000000000620000-0x000000000063A000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vffaje.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3164	powershell.exe
3916	powershell.exe
1856	powershell.exe
3916	powershell.exe
428	powershell.exe
4232	powershell.exe
712	powershell.exe
5024	powershell.exe
3112	powershell.exe
3828	powershell.exe
4880	powershell.exe
4512	powershell.exe
804	powershell.exe
4828	powershell.exe
1872	powershell.exe
448	powershell.exe
3596	powershell.exe
2100	powershell.exe
4624	powershell.exe
536	powershell.exe
4124	powershell.exe
448	powershell.exe
4324	powershell.exe
2640	powershell.exe
3500	powershell.exe
4104	powershell.exe
3404	powershell.exe
1972	powershell.exe
4484	powershell.exe
3116	powershell.exe
3928	powershell.exe
2400	powershell.exe
3764	powershell.exe
1568	powershell.exe
1108	powershell.exe
4984	powershell.exe
216	powershell.exe
3368	powershell.exe
3384	powershell.exe
3012	powershell.exe
3444	powershell.exe
2216	powershell.exe
936	powershell.exe
2784	powershell.exe
748	powershell.exe
2136	powershell.exe
5092	powershell.exe
4936	powershell.exe
1764	powershell.exe
4384	powershell.exe
4644	powershell.exe
3056	powershell.exe
856	powershell.exe
4680	powershell.exe
3180	powershell.exe
1536	powershell.exe
4464	powershell.exe
2640	powershell.exe
1956	powershell.exe
3672	powershell.exe
3476	powershell.exe
1896	powershell.exe
2880	powershell.exe
3456	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	vffaje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vffaje.exe"	vffaje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	vffaje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vffaje.exe"	vffaje.exe

Checks computer location settings 2 TTPs 52 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	ratka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	ratka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	ratka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	ratka.exe

Executes dropped EXE 51 IoCs

pid	Process
1868	ratka.exe
4124	ratka.exe
3584	ratka.exe
1764	ratka.exe
1220	ratka.exe
4380	ratka.exe
3432	ratka.exe
864	ratka.exe
2024	ratka.exe
4624	ratka.exe
1004	ratka.exe
2624	ratka.exe
3660	ratka.exe
3764	ratka.exe
2572	ratka.exe
3820	ratka.exe
1820	ratka.exe
4432	ratka.exe
3768	ratka.exe
3644	ratka.exe
1536	ratka.exe
1564	ratka.exe
3688	vffaje.exe
2780	vffaje.exe
3192	ratka.exe
4388	ratka.exe
4112	ratka.exe
2184	ratka.exe
5008	ratka.exe
2556	ratka.exe
4300	ratka.exe
3708	ratka.exe
4928	ratka.exe
4700	ratka.exe
2984	ratka.exe
2540	ratka.exe
4116	ratka.exe
2732	ratka.exe
2220	ratka.exe
2636	ratka.exe
3904	ratka.exe
3824	ratka.exe
2612	ratka.exe
3992	ratka.exe
3820	ratka.exe
4692	ratka.exe
3164	ratka.exe
4984	ratka.exe
3372	ratka.exe
1728	ratka.exe
4748	ratka.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	ratka.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	ratka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vffaje.exe"	vffaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	ratka.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vffaje.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vffaje.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0023000000023c2c-576.dat	upx
behavioral2/memory/3688-578-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/2780-580-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/2780-582-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-670-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-685-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-809-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-888-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-969-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-1070-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-1200-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-1281-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3688-1382-0x0000000000400000-0x00000000006D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vffaje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vffaje.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4868	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	powershell.exe
448	powershell.exe
1948	powershell.exe
1948	powershell.exe
2220	powershell.exe
2220	powershell.exe
3116	powershell.exe
3116	powershell.exe
2136	powershell.exe
2136	powershell.exe
988	powershell.exe
988	powershell.exe
1200	powershell.exe
1200	powershell.exe
3364	powershell.exe
3916	powershell.exe
3364	powershell.exe
3916	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
1868	ratka.exe
5024	powershell.exe
5024	powershell.exe
1076	powershell.exe
1076	powershell.exe
1076	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
3112	powershell.exe
3112	powershell.exe
3112	powershell.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
1076	powershell.exe
1076	powershell.exe
1076	powershell.exe
2072	powershell.exe
2072	powershell.exe
2072	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
428	powershell.exe
428	powershell.exe
428	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
3180	powershell.exe
3180	powershell.exe
3180	powershell.exe
4768	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3688	vffaje.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1868	ratka.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	4124	ratka.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3584	ratka.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	1868	ratka.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	1764	ratka.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	1220	ratka.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4380	ratka.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	3432	ratka.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	864	ratka.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2024	ratka.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	4624	ratka.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	1004	ratka.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	2624	ratka.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	3660	ratka.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3764	ratka.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	2572	ratka.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	3820	ratka.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	1820	ratka.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4432	ratka.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	3768	ratka.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	3644	ratka.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1868	ratka.exe
3688	vffaje.exe
2780	vffaje.exe
2184	ratka.exe
3824	ratka.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 448	2628	BootstrapperNew.exe	89
PID 2628 wrote to memory of 448	2628	BootstrapperNew.exe	89
PID 2628 wrote to memory of 1868	2628	BootstrapperNew.exe	91
PID 2628 wrote to memory of 1868	2628	BootstrapperNew.exe	91
PID 2628 wrote to memory of 1948	2628	BootstrapperNew.exe	92
PID 2628 wrote to memory of 1948	2628	BootstrapperNew.exe	92
PID 2628 wrote to memory of 3896	2628	BootstrapperNew.exe	94
PID 2628 wrote to memory of 3896	2628	BootstrapperNew.exe	94
PID 3896 wrote to memory of 2220	3896	BootstrapperNew.exe	97
PID 3896 wrote to memory of 2220	3896	BootstrapperNew.exe	97
PID 3896 wrote to memory of 4124	3896	BootstrapperNew.exe	101
PID 3896 wrote to memory of 4124	3896	BootstrapperNew.exe	101
PID 3896 wrote to memory of 3116	3896	BootstrapperNew.exe	102
PID 3896 wrote to memory of 3116	3896	BootstrapperNew.exe	102
PID 3896 wrote to memory of 1124	3896	BootstrapperNew.exe	104
PID 3896 wrote to memory of 1124	3896	BootstrapperNew.exe	104
PID 1868 wrote to memory of 2136	1868	ratka.exe	105
PID 1868 wrote to memory of 2136	1868	ratka.exe	105
PID 1868 wrote to memory of 988	1868	ratka.exe	107
PID 1868 wrote to memory of 988	1868	ratka.exe	107
PID 1868 wrote to memory of 1200	1868	ratka.exe	109
PID 1868 wrote to memory of 1200	1868	ratka.exe	109
PID 1124 wrote to memory of 3364	1124	BootstrapperNew.exe	111
PID 1124 wrote to memory of 3364	1124	BootstrapperNew.exe	111
PID 1868 wrote to memory of 3916	1868	ratka.exe	113
PID 1868 wrote to memory of 3916	1868	ratka.exe	113
PID 1124 wrote to memory of 3584	1124	BootstrapperNew.exe	116
PID 1124 wrote to memory of 3584	1124	BootstrapperNew.exe	116
PID 1124 wrote to memory of 5092	1124	BootstrapperNew.exe	117
PID 1124 wrote to memory of 5092	1124	BootstrapperNew.exe	117
PID 1124 wrote to memory of 1652	1124	BootstrapperNew.exe	119
PID 1124 wrote to memory of 1652	1124	BootstrapperNew.exe	119
PID 1652 wrote to memory of 5024	1652	BootstrapperNew.exe	120
PID 1652 wrote to memory of 5024	1652	BootstrapperNew.exe	120
PID 1652 wrote to memory of 1764	1652	BootstrapperNew.exe	123
PID 1652 wrote to memory of 1764	1652	BootstrapperNew.exe	123
PID 1652 wrote to memory of 1076	1652	BootstrapperNew.exe	124
PID 1652 wrote to memory of 1076	1652	BootstrapperNew.exe	124
PID 1652 wrote to memory of 1580	1652	BootstrapperNew.exe	126
PID 1652 wrote to memory of 1580	1652	BootstrapperNew.exe	126
PID 1580 wrote to memory of 4680	1580	BootstrapperNew.exe	127
PID 1580 wrote to memory of 4680	1580	BootstrapperNew.exe	127
PID 1580 wrote to memory of 1220	1580	BootstrapperNew.exe	130
PID 1580 wrote to memory of 1220	1580	BootstrapperNew.exe	130
PID 1580 wrote to memory of 3112	1580	BootstrapperNew.exe	131
PID 1580 wrote to memory of 3112	1580	BootstrapperNew.exe	131
PID 1580 wrote to memory of 3688	1580	BootstrapperNew.exe	133
PID 1580 wrote to memory of 3688	1580	BootstrapperNew.exe	133
PID 3688 wrote to memory of 4936	3688	BootstrapperNew.exe	134
PID 3688 wrote to memory of 4936	3688	BootstrapperNew.exe	134
PID 3688 wrote to memory of 4380	3688	BootstrapperNew.exe	136
PID 3688 wrote to memory of 4380	3688	BootstrapperNew.exe	136
PID 3688 wrote to memory of 4416	3688	BootstrapperNew.exe	137
PID 3688 wrote to memory of 4416	3688	BootstrapperNew.exe	137
PID 3688 wrote to memory of 4876	3688	BootstrapperNew.exe	139
PID 3688 wrote to memory of 4876	3688	BootstrapperNew.exe	139
PID 4876 wrote to memory of 1076	4876	BootstrapperNew.exe	140
PID 4876 wrote to memory of 1076	4876	BootstrapperNew.exe	140
PID 4876 wrote to memory of 3432	4876	BootstrapperNew.exe	142
PID 4876 wrote to memory of 3432	4876	BootstrapperNew.exe	142
PID 4876 wrote to memory of 2072	4876	BootstrapperNew.exe	143
PID 4876 wrote to memory of 2072	4876	BootstrapperNew.exe	143
PID 4876 wrote to memory of 3116	4876	BootstrapperNew.exe	145
PID 4876 wrote to memory of 3116	4876	BootstrapperNew.exe	145

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vffaje.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vffaje.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	vffaje.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Users\Admin\AppData\Local\Temp\ratka.exe
  "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ratka.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\vffaje.exe
    "C:\Users\Admin\AppData\Local\Temp\vffaje.exe"
    3⤵
    - UAC bypass
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\ratka.exe
    "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\ratka.exe
      "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
      - C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        8⤵
        Checks computer location settings
        
        PID:3116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        9⤵
        Checks computer location settings
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        10⤵
        Checks computer location settings
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        11⤵
        Checks computer location settings
        
        PID:3432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        12⤵
        Checks computer location settings
        
        PID:732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        13⤵
        Checks computer location settings
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        14⤵
        Checks computer location settings
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        15⤵
        Checks computer location settings
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        16⤵
        Checks computer location settings
        
        PID:4492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        17⤵
        Checks computer location settings
        
        PID:5064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        18⤵
        Checks computer location settings
        
        PID:3384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        19⤵
        Checks computer location settings
        
        PID:4364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        20⤵
        Checks computer location settings
        
        PID:4896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        21⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        21⤵
        Checks computer location settings
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        22⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        22⤵
        Checks computer location settings
        
        PID:3648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        23⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        23⤵
        Checks computer location settings
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        24⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        24⤵
        Checks computer location settings
        
        PID:4168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        25⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        25⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        25⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        25⤵
        Checks computer location settings
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        26⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        26⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        26⤵
        Checks computer location settings
        
        PID:4968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        27⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ratka.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4711.tmp.bat""
        28⤵
        
        PID:2772
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        29⤵
        Delays execution with timeout.exe
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        27⤵
        Checks computer location settings
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        28⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        28⤵
        Checks computer location settings
        
        PID:3716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        29⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        29⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        29⤵
        Checks computer location settings
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        30⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        30⤵
        Checks computer location settings
        
        PID:3368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        31⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        31⤵
        Checks computer location settings
        
        PID:3180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        32⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        32⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        32⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        32⤵
        Checks computer location settings
        
        PID:3916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        33⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        33⤵
        Checks computer location settings
        
        PID:4956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        34⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        34⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        34⤵
        Checks computer location settings
        
        PID:4300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        35⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        35⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        35⤵
        Checks computer location settings
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        36⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        36⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        36⤵
        Checks computer location settings
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        37⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        37⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        37⤵
        Checks computer location settings
        
        PID:3992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        38⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        38⤵
        Checks computer location settings
        
        PID:3920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        39⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        39⤵
        Checks computer location settings
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        40⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        40⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        40⤵
        Checks computer location settings
        
        PID:4880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        41⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ratka.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        42⤵
        
        PID:5076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        41⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        41⤵
        Checks computer location settings
        
        PID:3240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        42⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        42⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        42⤵
        Checks computer location settings
        
        PID:1584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        43⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        43⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        43⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        43⤵
        Checks computer location settings
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        44⤵
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        44⤵
        Checks computer location settings
        
        PID:4720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        45⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        45⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        45⤵
        Checks computer location settings
        
        PID:1476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        46⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        46⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        46⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        46⤵
        Checks computer location settings
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        47⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        47⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        47⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        47⤵
        Checks computer location settings
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        48⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        48⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        48⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        48⤵
        Checks computer location settings
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        49⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        49⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        49⤵
        Checks computer location settings
        
        PID:3628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ratka.exe'
        50⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\ratka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratka.exe"
        50⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe'
        50⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        50⤵
        
        PID:3000

C:\Users\Admin\AppData\Local\Temp\vffaje.exe
C:\Users\Admin\AppData\Local\Temp\vffaje.exe explorer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperNew.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
73af4f2170e957d2e0a17b3969478aae

SHA1
0cf6ed9f94648debd2f23f4b4563a07a4d8ab8b5

SHA256
b157a020262f6ab70c58265ad703ab2ed3db6baff07a471519c8d3b682c5f329

SHA512
56d2da128397e463ed742cfc06f0e8e20bd87d439b3e164dde82da163195ac55e3fa532a427de5f3546878e2bb5532f588ea84790ca3a0e3c5cf6b242ea8572d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fda6b7c8f23027ffe34e2c461862a52

SHA1
31ade0cc3a2d31befdb19b15596d8f8666a8933e

SHA256
192ca75653dd7c78c6e5e87607fe2111f66ff1dc3679b9565ea914db6384ed1b

SHA512
f395bee01b70e1595282740f56c929f8e5e8d0b41f38d0ea316e10abaa1df890bb587f417cbd03696e2c5eb17af9ae7f864d2e251ef64d108b8a02d396b3b03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c739c0d9733d90cf768d839ad8924ae1

SHA1
c4b76ed916b260ae74f3c5f52ebae8aa4adeafd8

SHA256
cb3d8ed30e4409dbd78ebdfb38eb758a9e344ba8c937fcf7f9833f1ac21c2bfc

SHA512
acc6931bf025210fe242fb803c8f16000bec8753ece56de5f9d9028edfaa9716cca00444a1261c260ea598b3af5932614c51735f57336be31f54031a9d69f42f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0fe2f9005e1d6425bebef2227f4b5c6f

SHA1
3ebed4360fd1dd2ed2bb603e2269eda011575ad8

SHA256
1835845b9b0b5c672c669a713ad31b35cfdb243a3c62fa6e13a6daaca6486233

SHA512
1fef4e76e80a0c53061720ce89ff6309a9feab50a953381a308ca1768c2a1e378179288a10822ee303dd4274bd3e9d692b13881d9dae0bb8e1376a9a866e5e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d06ce10e4e5b9e174b5ebbdad300fad

SHA1
bcc1c231e22238cef02ae25331320060ada2f131

SHA256
87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

SHA512
38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
92075279f2dbcaa5724ee5a47e49712f

SHA1
8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb

SHA256
fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442

SHA512
744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cbc41bceec6e8cf6d23f68d952487858

SHA1
f52edbceff042ded7209e8be90ec5e09086d62eb

SHA256
b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d

SHA512
0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7160acb949a9bd2445fc778b248be9f0

SHA1
093ebdc410c05b2e723f742fc70f21380fa52566

SHA256
c0999b067446bc532bfdd5ceb5754fa1539dba3ac1eab33b4c6562635c5901f7

SHA512
37ce82848df6bf3b862af11ad05a13161b6172a4464f20caa7a81de395c376c38096c2c9d653a3f18dfd63e4abc13c96d60963ba98527a10e127306019b64636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4920f7bec7cdb8ac44637a6af9d2fc6f

SHA1
d4c5e3c9397926ec9bdaccdd955e89f5138b1816

SHA256
8cc607eab702c5690ee5d64f5d34add46b7093c23751506dad728853a434a277

SHA512
321e8178ebd08d680c6d1af467ab73e3055af8c8bb06ee81b1af46bd6718e5a060c339da5a281028c2557ab8d85172921e10363ccd8d411aa0e75f62119838d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nf0n3jm3.ouz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratka.exe

Filesize
80KB

MD5
39ffa7b287f2d822703a6deea560dcbd

SHA1
34ae6406ec73ad02955cb7676b37489fdab1695b

SHA256
9465f48edb12c0ecfe182d5d6a91be86afd52c152b61c3916efb09df3a90cb05

SHA512
7efa49f3c9ba846d6382e7683d64a5b00232c459028a177b07c0e4f28f06682bd3a219421a355515766007bee9e0dfcce5e243afba73290487057542a644cc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\vffaje.exe

Filesize
1.7MB

MD5
6e628c5531010f1053fff090a7699659

SHA1
237e5b8870092dd0e9a3b0fb76da93fcfce56516

SHA256
52d65a486dd027d9d6e3ca10ea808815ff0fda4e5032695333b7c2d5a5f95e41

SHA512
53eb023d70038b2820a6c0ed0a453307f90b22279e521fa8af3b6ef240ce022300a1d05794bf02d52f472c5adeb87c814373c5e29b3f13102c0128af06d5f0e7

Download Submit
memory/448-17-0x00007FFD70220000-0x00007FFD70CE1000-memory.dmp

Filesize
10.8MB

Download
memory/448-13-0x00007FFD70220000-0x00007FFD70CE1000-memory.dmp

Filesize
10.8MB

Download
memory/448-14-0x00007FFD70220000-0x00007FFD70CE1000-memory.dmp

Filesize
10.8MB

Download
memory/448-12-0x00007FFD70220000-0x00007FFD70CE1000-memory.dmp

Filesize
10.8MB

Download
memory/448-7-0x00000275B0730000-0x00000275B0752000-memory.dmp

Filesize
136KB

Download
memory/1868-572-0x0000000002840000-0x000000000284C000-memory.dmp

Filesize
48KB

Download
memory/1868-30-0x0000000000620000-0x000000000063A000-memory.dmp

Filesize
104KB

Download
memory/2628-1-0x0000000000140000-0x00000000003C4000-memory.dmp

Filesize
2.5MB

Download
memory/2628-26-0x00007FFD70220000-0x00007FFD70CE1000-memory.dmp

Filesize
10.8MB

Download
memory/2628-45-0x00007FFD70220000-0x00007FFD70CE1000-memory.dmp

Filesize
10.8MB

Download
memory/2628-0-0x00007FFD70223000-0x00007FFD70225000-memory.dmp

Filesize
8KB

Download
memory/2780-582-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2780-580-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-670-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-578-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-685-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-809-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-888-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-969-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-1070-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-1200-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-1281-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3688-1382-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download