xworm | c97add81fe634aac6a0291ebbefc67bc3748966e27cca7fec62e54a54a50abc8

Analysis

max time kernel
9s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan Alpha (prem).exe
Size

3.6MB
MD5

9da7ae2451efded063b29e9763aa244c
SHA1

fb8ca87e4858331ea25485312a5d71ba25704cbc
SHA256

a993be0a000fc4fff5b3806da4d35981551c2ed13655a19985e2f1928f869e07
SHA512

370af95e2ef727f05051738d9f878e9b3954f9a95e2d486afc1000bb2619f9105c1078ecfda78e73cc609e87799c7e67bd19afdd1d1a9ea5b781b896f8825c66
SSDEEP

98304:7u7xU6HERA18WXVP46ir0HKNDKx8/0hYC3srW5cXVR:7u7i6HctF6g0HKND0

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

192.121.16.228:8324

Attributes

Install_directory
%AppData%
install_file
NurClient.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023c80-6.dat	family_xworm
behavioral1/memory/4616-13-0x0000000000CC0000-0x0000000000CD8000-memory.dmp	family_xworm
behavioral1/files/0x0008000000023cc6-166.dat	family_xworm
behavioral1/memory/3488-171-0x0000000000440000-0x0000000000458000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4912	powershell.exe
1972	powershell.exe
812	powershell.exe
940	powershell.exe
3076	powershell.exe
4884	powershell.exe
5116	powershell.exe
1972	powershell.exe

Checks computer location settings 2 TTPs 51 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	test1w.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	nur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	test1w.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	test1w.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Nursultan Alpha (prem).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	test1w.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	NurClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	skeet.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurClient.lnk	nur.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurClient.lnk	nur.exe

Executes dropped EXE 64 IoCs

pid	Process
4616	nur.exe
876	Nursultan Alpha (prem).exe
4004	Nursultan Alpha (prem).exe
688	test1w.exe
3560	Nursultan Alpha (prem).exe
2320	test1w.exe
3480	skeet.exe
4032	NurClient.exe
4152	Nursultan Alpha (prem).exe
3452	skeet.exe
4368	NurClient.exe
1056	test1w.exe
3488	skeet.exe
2448	Nursultan Alpha (prem).exe
5052	skeet.exe
3748	NurClient.exe
5092	skeet.exe
4912	test1w.exe
1664	skeet.exe
4920	NurClient.exe
4968	skeet.exe
3632	skeet.exe
5000	skeet.exe
4448	NurClient.exe
4908	NurClient.exe
2252	Nursultan Alpha (prem).exe
4784	test1w.exe
596	skeet.exe
3060	NurClient.exe
4072	skeet.exe
2900	skeet.exe
2572	NurClient.exe
3236	skeet.exe
2212	NurClient.exe
3384	skeet.exe
4388	NurClient.exe
4464	skeet.exe
2180	skeet.exe
2428	skeet.exe
4188	NurClient.exe
2400	skeet.exe
2904	NurClient.exe
3912	skeet.exe
1068	skeet.exe
5056	NurClient.exe
2084	skeet.exe
2268	skeet.exe
4196	skeet.exe
1672	NurClient.exe
2204	skeet.exe
4948	skeet.exe
2392	NurClient.exe
4664	skeet.exe
3396	NurClient.exe
2056	skeet.exe
2900	skeet.exe
4732	NurClient.exe
3744	skeet.exe
4620	skeet.exe
3488	NurClient.exe
4032	skeet.exe
220	NurClient.exe
1020	skeet.exe
2920	NurClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NurClient = "C:\\Users\\Admin\\AppData\\Roaming\\NurClient.exe"	nur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4884	powershell.exe
4884	powershell.exe
5116	powershell.exe
5116	powershell.exe
1972	powershell.exe
1972	powershell.exe
4912	powershell.exe
4912	powershell.exe
4616	nur.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	nur.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	3488	NurClient.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	220	NurClient.exe
Token: SeDebugPrivilege	2920	NurClient.exe
Token: SeDebugPrivilege	1056	NurClient.exe
Token: SeDebugPrivilege	4136	NurClient.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	2800	NurClient.exe
Token: SeDebugPrivilege	2132	NurClient.exe
Token: SeDebugPrivilege	4904	NurClient.exe
Token: SeDebugPrivilege	4616	nur.exe
Token: SeDebugPrivilege	2980	NurClient.exe
Token: SeDebugPrivilege	4624	NurClient.exe
Token: SeDebugPrivilege	1400	NurClient.exe
Token: SeDebugPrivilege	2128	NurClient.exe
Token: SeDebugPrivilege	2928	NurClient.exe
Token: SeDebugPrivilege	1528	NurClient.exe
Token: SeDebugPrivilege	840	NurClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4616	nur.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 4616	2948	Nursultan Alpha (prem).exe	87
PID 2948 wrote to memory of 4616	2948	Nursultan Alpha (prem).exe	87
PID 2948 wrote to memory of 876	2948	Nursultan Alpha (prem).exe	88
PID 2948 wrote to memory of 876	2948	Nursultan Alpha (prem).exe	88
PID 876 wrote to memory of 4004	876	Nursultan Alpha (prem).exe	89
PID 876 wrote to memory of 4004	876	Nursultan Alpha (prem).exe	89
PID 876 wrote to memory of 688	876	Nursultan Alpha (prem).exe	90
PID 876 wrote to memory of 688	876	Nursultan Alpha (prem).exe	90
PID 4004 wrote to memory of 3560	4004	Nursultan Alpha (prem).exe	91
PID 4004 wrote to memory of 3560	4004	Nursultan Alpha (prem).exe	91
PID 4004 wrote to memory of 2320	4004	Nursultan Alpha (prem).exe	92
PID 4004 wrote to memory of 2320	4004	Nursultan Alpha (prem).exe	92
PID 688 wrote to memory of 3480	688	test1w.exe	93
PID 688 wrote to memory of 3480	688	test1w.exe	93
PID 688 wrote to memory of 4032	688	test1w.exe	153
PID 688 wrote to memory of 4032	688	test1w.exe	153
PID 3560 wrote to memory of 4152	3560	Nursultan Alpha (prem).exe	95
PID 3560 wrote to memory of 4152	3560	Nursultan Alpha (prem).exe	95
PID 3480 wrote to memory of 3452	3480	skeet.exe	96
PID 3480 wrote to memory of 3452	3480	skeet.exe	96
PID 3480 wrote to memory of 4368	3480	skeet.exe	188
PID 3480 wrote to memory of 4368	3480	skeet.exe	188
PID 3560 wrote to memory of 1056	3560	Nursultan Alpha (prem).exe	158
PID 3560 wrote to memory of 1056	3560	Nursultan Alpha (prem).exe	158
PID 4032 wrote to memory of 3488	4032	NurClient.exe	150
PID 4032 wrote to memory of 3488	4032	NurClient.exe	150
PID 4616 wrote to memory of 4884	4616	nur.exe	100
PID 4616 wrote to memory of 4884	4616	nur.exe	100
PID 4152 wrote to memory of 2448	4152	Nursultan Alpha (prem).exe	101
PID 4152 wrote to memory of 2448	4152	Nursultan Alpha (prem).exe	101
PID 1056 wrote to memory of 5052	1056	test1w.exe	102
PID 1056 wrote to memory of 5052	1056	test1w.exe	102
PID 1056 wrote to memory of 3748	1056	test1w.exe	103
PID 1056 wrote to memory of 3748	1056	test1w.exe	103
PID 3452 wrote to memory of 5092	3452	skeet.exe	104
PID 3452 wrote to memory of 5092	3452	skeet.exe	104
PID 4152 wrote to memory of 4912	4152	Nursultan Alpha (prem).exe	161
PID 4152 wrote to memory of 4912	4152	Nursultan Alpha (prem).exe	161
PID 4368 wrote to memory of 1664	4368	NurClient.exe	106
PID 4368 wrote to memory of 1664	4368	NurClient.exe	106
PID 3452 wrote to memory of 4920	3452	skeet.exe	107
PID 3452 wrote to memory of 4920	3452	skeet.exe	107
PID 4912 wrote to memory of 4968	4912	test1w.exe	109
PID 4912 wrote to memory of 4968	4912	test1w.exe	109
PID 5092 wrote to memory of 3632	5092	skeet.exe	111
PID 5092 wrote to memory of 3632	5092	skeet.exe	111
PID 3748 wrote to memory of 5000	3748	NurClient.exe	110
PID 3748 wrote to memory of 5000	3748	NurClient.exe	110
PID 4912 wrote to memory of 4448	4912	test1w.exe	112
PID 4912 wrote to memory of 4448	4912	test1w.exe	112
PID 5092 wrote to memory of 4908	5092	skeet.exe	113
PID 5092 wrote to memory of 4908	5092	skeet.exe	113
PID 2448 wrote to memory of 2252	2448	Nursultan Alpha (prem).exe	114
PID 2448 wrote to memory of 2252	2448	Nursultan Alpha (prem).exe	114
PID 2448 wrote to memory of 4784	2448	Nursultan Alpha (prem).exe	222
PID 2448 wrote to memory of 4784	2448	Nursultan Alpha (prem).exe	222
PID 3632 wrote to memory of 596	3632	skeet.exe	116
PID 3632 wrote to memory of 596	3632	skeet.exe	116
PID 3632 wrote to memory of 3060	3632	skeet.exe	117
PID 3632 wrote to memory of 3060	3632	skeet.exe	117
PID 4448 wrote to memory of 4072	4448	NurClient.exe	118
PID 4448 wrote to memory of 4072	4448	NurClient.exe	118
PID 596 wrote to memory of 2900	596	skeet.exe	146
PID 596 wrote to memory of 2900	596	skeet.exe	146

C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha (prem).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha (prem).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Roaming\nur.exe
  "C:\Users\Admin\AppData\Roaming\nur.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\nur.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nur.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
  "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
    "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
      "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe
        
        "C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe"
        7⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4784
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        8⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        8⤵
        Executes dropped EXE
        
        PID:2212
      - C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        7⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        10⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3912
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        13⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        14⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4948
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4664
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4620
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        20⤵
        Checks computer location settings
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        21⤵
        Checks computer location settings
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        22⤵
        Checks computer location settings
        
        PID:3668
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        23⤵
        Checks computer location settings
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        24⤵
        Checks computer location settings
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        25⤵
        Checks computer location settings
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        26⤵
        Checks computer location settings
        
        PID:5028
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        27⤵
        Checks computer location settings
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        28⤵
        Checks computer location settings
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        29⤵
        Checks computer location settings
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        30⤵
        Checks computer location settings
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        31⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        32⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        33⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        34⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        35⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        36⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        37⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        38⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        39⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        40⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        41⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        42⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        43⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        43⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        42⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        41⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        40⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        39⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        38⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        37⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        36⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        35⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        34⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        33⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        32⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:5116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NurClient.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurClient.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3076
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        16⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3396
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        16⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        15⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        11⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        12⤵
        Executes dropped EXE
        
        PID:2084
    - - C:\Users\Admin\AppData\Roaming\test1w.exe
        
        "C:\Users\Admin\AppData\Roaming\test1w.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        6⤵
        Executes dropped EXE
        
        PID:5052
      - C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        7⤵
        Executes dropped EXE
        
        PID:5000
  - - C:\Users\Admin\AppData\Roaming\test1w.exe
      "C:\Users\Admin\AppData\Roaming\test1w.exe"
      4⤵
      Executes dropped EXE
      PID:2320
- - C:\Users\Admin\AppData\Roaming\test1w.exe
    "C:\Users\Admin\AppData\Roaming\test1w.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Roaming\skeet.exe
      "C:\Users\Admin\AppData\Roaming\skeet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        9⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        9⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        9⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        7⤵
        Executes dropped EXE
        
        PID:4908
      - C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        6⤵
        Executes dropped EXE
        
        PID:4920
    - - C:\Users\Admin\AppData\Roaming\NurClient.exe
        
        "C:\Users\Admin\AppData\Roaming\NurClient.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        6⤵
        Executes dropped EXE
        
        PID:1664
  - - C:\Users\Admin\AppData\Roaming\NurClient.exe
      "C:\Users\Admin\AppData\Roaming\NurClient.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Users\Admin\AppData\Roaming\skeet.exe
        
        "C:\Users\Admin\AppData\Roaming\skeet.exe"
        5⤵
        Executes dropped EXE
        
        PID:3488

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4784

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan Alpha (prem).exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfz5swwj.zol.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\NurClient.exe

Filesize
67KB

MD5
44b3f88bf41cc94d7a29d74428179686

SHA1
7b50d502801013ed340a538f1932a6062dfc765d

SHA256
2add340de381aa0c3c0c1f45a37ebf5a757c873cbc070f2ccb00e80d793d3342

SHA512
ce623b0f55d02ac0b09a665919a786147b640c6df63004cc1f0443e3af642907119e04e1c8be0fcc932c9707275ee50ea67f09078fbcf0a4c061bae57bf60f03

Download Submit
C:\Users\Admin\AppData\Roaming\NurClient.exe

Filesize
157KB

MD5
98198dc506f9038bdb935e06635f8f0c

SHA1
0d6f7f2f0b082c0158a42f96136202337da33c64

SHA256
27c1a6f4ed357879f5d43758d1f596e9c899e2995fc6c7ee1e426e59fb050817

SHA512
c7caa8313899d5f6127b46485428713026ea409604ad6803325123927ccada8528d2709990e813d737466dd23dcb63ac4383dd4b2bec6a9107bd3c637e6a12f5

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan Alpha (prem).exe

Filesize
3.5MB

MD5
3972af0b29e3708ed0a24a8228450248

SHA1
544656d4cd451afce236bc8e8b4f138d3b573e7d

SHA256
a54b54c7a1b3a6966b7207aece9d77cdcf48caddd8236fc61060689867ab258f

SHA512
a0b4ca8e728531a9992fec26154260b8cc8d0b380d32e8da3a4f451509640e23d2771ddf4bfe2488c81d4869e7bb648251da3507d98ab3142e48c8e09e7b5dd4

Download Submit
C:\Users\Admin\AppData\Roaming\nur.exe

Filesize
71KB

MD5
162addbe2fd96d0442c7fb4231855279

SHA1
119ab55811b46e949266b393964f6d494d0dc96e

SHA256
780f577c0620f1245217cbefbbd0f94c66b9bd0efb49310204f8b414a293b854

SHA512
8e594992482f15a9d366986b438e598a71d98055aaea87e78abf8b518d76d59524bf80cabf84bba508352ca1022d0a98b01301c91278ff86a47246462d89e605

Download Submit
C:\Users\Admin\AppData\Roaming\skeet.exe

Filesize
147KB

MD5
7967febe5c8d05429d8b86b3f526a7b6

SHA1
87d3d6e07ed6a4fb076a7561ab5f9e9d6064b1e4

SHA256
a1199d6afa00693691e03b3244e970798c128b7f52d78887a9622aabd2ba8303

SHA512
2ccbd355ec7c781abb322ed62ba22671f79080f61a21937d615e2744f6069d5dd31477d7682e7d1c682b1305c9261a20dc68bd06723be18d583d6258acf826a4

Download Submit
C:\Users\Admin\AppData\Roaming\test1w.exe

Filesize
319KB

MD5
ff9321376e90e0ae1478bd12fce85931

SHA1
639cb9225bb206f620e8a258d34032b4197c3440

SHA256
f157f48da00a80bbacecb0a912f2b213cee321c080bd753e1eb871005ada9a74

SHA512
be76d7aa3bc7aa0f9fc0f2128f9c5348ce107419bb6734f09eafdf2ff4ff709692f3d726952f6d9857a6c58766963d2c3e88cc30e2011a1b8011687d092db98f

Download Submit
memory/688-43-0x00000000001C0000-0x0000000000216000-memory.dmp

Filesize
344KB

Download
memory/876-42-0x00007FF8D3C10000-0x00007FF8D46D1000-memory.dmp

Filesize
10.8MB

Download
memory/876-28-0x0000000000720000-0x0000000000AAC000-memory.dmp

Filesize
3.5MB

Download
memory/876-27-0x00007FF8D3C10000-0x00007FF8D46D1000-memory.dmp

Filesize
10.8MB

Download
memory/2948-1-0x0000000000C20000-0x0000000000FC0000-memory.dmp

Filesize
3.6MB

Download
memory/2948-0-0x00007FF8D3C13000-0x00007FF8D3C15000-memory.dmp

Filesize
8KB

Download
memory/3480-67-0x0000000000910000-0x000000000093C000-memory.dmp

Filesize
176KB

Download
memory/3488-171-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/4032-71-0x0000000000560000-0x000000000058E000-memory.dmp

Filesize
184KB

Download
memory/4616-25-0x00007FF8D3C10000-0x00007FF8D46D1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-13-0x0000000000CC0000-0x0000000000CD8000-memory.dmp

Filesize
96KB

Download
memory/4616-194-0x00007FF8D3C10000-0x00007FF8D46D1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-195-0x00007FF8D3C10000-0x00007FF8D46D1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-236-0x00007FF8D3C10000-0x00007FF8D46D1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-126-0x000002CF53C60000-0x000002CF53C82000-memory.dmp

Filesize
136KB

Download