xworm | ea2ab2ecedf5c203a42e9b29566ada7f70959f41e23e2346fc38322c2cfe43fa

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Algorithm_Converter_Arab-you.exe
Size

497KB
MD5

7e01e34e779c50de84cc3e4321d68b6f
SHA1

31ec2e0168867753e0c649dbaeb92aaafb22f6d3
SHA256

ea2ab2ecedf5c203a42e9b29566ada7f70959f41e23e2346fc38322c2cfe43fa
SHA512

af9f51af435f41b9578c72f163d43abb3edd5bfb27fd7b0e4f83799f0df62bf5a9d8e813bf2aab2fc85414ac3f2997400ac5d833d6c77803c568ba954b6c6414
SSDEEP

12288:fGMnkN1TDTvX7ym4vw+8ixjvVem7kC+8:XG1TDTvLVkrMm

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

3skr.uncofig.com:9999

Mutex

f5nPSEGIk3s9ZJvj

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023d8c-7.dat	family_xworm
behavioral2/memory/628-15-0x00000000009B0000-0x00000000009C0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 58 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Algorithm_Converter_Arab-you.exe

Executes dropped EXE 64 IoCs

pid	Process
628	sat.exe
3968	Algorithm_Converter_Arab-you.exe
1580	sat.exe
708	Algorithm_Converter_Arab-you.exe
2328	sat.exe
1484	Algorithm_Converter_Arab-you.exe
2732	sat.exe
228	Algorithm_Converter_Arab-you.exe
4316	sat.exe
2304	Algorithm_Converter_Arab-you.exe
632	sat.exe
5028	Algorithm_Converter_Arab-you.exe
2520	sat.exe
976	Algorithm_Converter_Arab-you.exe
4772	sat.exe
3620	Algorithm_Converter_Arab-you.exe
4780	sat.exe
4912	Algorithm_Converter_Arab-you.exe
536	sat.exe
1628	Algorithm_Converter_Arab-you.exe
2336	sat.exe
1596	Algorithm_Converter_Arab-you.exe
3536	sat.exe
3924	Algorithm_Converter_Arab-you.exe
3228	sat.exe
3036	Algorithm_Converter_Arab-you.exe
4172	sat.exe
4964	Algorithm_Converter_Arab-you.exe
2848	sat.exe
4824	Algorithm_Converter_Arab-you.exe
2600	sat.exe
4732	Algorithm_Converter_Arab-you.exe
880	sat.exe
2640	Algorithm_Converter_Arab-you.exe
2484	sat.exe
432	Algorithm_Converter_Arab-you.exe
4368	sat.exe
4952	Algorithm_Converter_Arab-you.exe
2236	sat.exe
3900	Algorithm_Converter_Arab-you.exe
2300	sat.exe
3188	Algorithm_Converter_Arab-you.exe
3484	sat.exe
2812	Algorithm_Converter_Arab-you.exe
4732	sat.exe
4156	Algorithm_Converter_Arab-you.exe
4576	sat.exe
4624	Algorithm_Converter_Arab-you.exe
4172	sat.exe
2120	Algorithm_Converter_Arab-you.exe
4912	sat.exe
668	Algorithm_Converter_Arab-you.exe
4036	sat.exe
5108	Algorithm_Converter_Arab-you.exe
3196	sat.exe
2236	Algorithm_Converter_Arab-you.exe
456	sat.exe
2288	Algorithm_Converter_Arab-you.exe
3484	sat.exe
1120	Algorithm_Converter_Arab-you.exe
3460	sat.exe
2036	Algorithm_Converter_Arab-you.exe
4032	sat.exe
340	Algorithm_Converter_Arab-you.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
116	ip-api.com
28	ip-api.com
90	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	sat.exe
Token: SeDebugPrivilege	1580	sat.exe
Token: SeDebugPrivilege	2328	sat.exe
Token: SeDebugPrivilege	2732	sat.exe
Token: SeDebugPrivilege	4316	sat.exe
Token: SeDebugPrivilege	632	sat.exe
Token: SeDebugPrivilege	2520	sat.exe
Token: SeDebugPrivilege	4772	sat.exe
Token: SeDebugPrivilege	4780	sat.exe
Token: SeDebugPrivilege	536	sat.exe
Token: SeDebugPrivilege	2336	sat.exe
Token: SeDebugPrivilege	3536	sat.exe
Token: SeDebugPrivilege	3228	sat.exe
Token: SeDebugPrivilege	4172	sat.exe
Token: SeDebugPrivilege	2848	sat.exe
Token: SeDebugPrivilege	2600	sat.exe
Token: SeDebugPrivilege	880	sat.exe
Token: SeDebugPrivilege	4368	sat.exe
Token: SeDebugPrivilege	2236	sat.exe
Token: SeDebugPrivilege	2300	sat.exe
Token: SeDebugPrivilege	3484	sat.exe
Token: SeDebugPrivilege	4732	sat.exe
Token: SeDebugPrivilege	4576	sat.exe
Token: SeDebugPrivilege	4172	sat.exe
Token: SeDebugPrivilege	4912	sat.exe
Token: SeDebugPrivilege	4036	sat.exe
Token: SeDebugPrivilege	3196	sat.exe
Token: SeDebugPrivilege	456	sat.exe
Token: SeDebugPrivilege	3484	sat.exe
Token: SeDebugPrivilege	3460	sat.exe
Token: SeDebugPrivilege	4032	sat.exe
Token: SeDebugPrivilege	3560	sat.exe
Token: SeDebugPrivilege	4580	sat.exe
Token: SeDebugPrivilege	536	sat.exe
Token: SeDebugPrivilege	2180	sat.exe
Token: SeDebugPrivilege	2944	sat.exe
Token: SeDebugPrivilege	1708	sat.exe
Token: SeDebugPrivilege	3752	sat.exe
Token: SeDebugPrivilege	944	sat.exe
Token: SeDebugPrivilege	3704	sat.exe
Token: SeDebugPrivilege	3104	sat.exe
Token: SeDebugPrivilege	2300	sat.exe
Token: SeDebugPrivilege	4652	sat.exe
Token: SeDebugPrivilege	3524	sat.exe
Token: SeDebugPrivilege	2148	sat.exe
Token: SeDebugPrivilege	3944	sat.exe
Token: SeDebugPrivilege	1292	sat.exe
Token: SeDebugPrivilege	1572	sat.exe
Token: SeDebugPrivilege	3900	sat.exe
Token: SeDebugPrivilege	4612	sat.exe
Token: SeDebugPrivilege	2372	sat.exe
Token: SeDebugPrivilege	820	sat.exe
Token: SeDebugPrivilege	4084	sat.exe
Token: SeDebugPrivilege	2056	sat.exe
Token: SeDebugPrivilege	1408	sat.exe
Token: SeDebugPrivilege	1652	sat.exe
Token: SeDebugPrivilege	4868	sat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 628	2580	Algorithm_Converter_Arab-you.exe	87
PID 2580 wrote to memory of 628	2580	Algorithm_Converter_Arab-you.exe	87
PID 2580 wrote to memory of 3968	2580	Algorithm_Converter_Arab-you.exe	90
PID 2580 wrote to memory of 3968	2580	Algorithm_Converter_Arab-you.exe	90
PID 3968 wrote to memory of 1580	3968	Algorithm_Converter_Arab-you.exe	93
PID 3968 wrote to memory of 1580	3968	Algorithm_Converter_Arab-you.exe	93
PID 3968 wrote to memory of 708	3968	Algorithm_Converter_Arab-you.exe	94
PID 3968 wrote to memory of 708	3968	Algorithm_Converter_Arab-you.exe	94
PID 708 wrote to memory of 2328	708	Algorithm_Converter_Arab-you.exe	99
PID 708 wrote to memory of 2328	708	Algorithm_Converter_Arab-you.exe	99
PID 708 wrote to memory of 1484	708	Algorithm_Converter_Arab-you.exe	100
PID 708 wrote to memory of 1484	708	Algorithm_Converter_Arab-you.exe	100
PID 1484 wrote to memory of 2732	1484	Algorithm_Converter_Arab-you.exe	105
PID 1484 wrote to memory of 2732	1484	Algorithm_Converter_Arab-you.exe	105
PID 1484 wrote to memory of 228	1484	Algorithm_Converter_Arab-you.exe	106
PID 1484 wrote to memory of 228	1484	Algorithm_Converter_Arab-you.exe	106
PID 228 wrote to memory of 4316	228	Algorithm_Converter_Arab-you.exe	109
PID 228 wrote to memory of 4316	228	Algorithm_Converter_Arab-you.exe	109
PID 228 wrote to memory of 2304	228	Algorithm_Converter_Arab-you.exe	110
PID 228 wrote to memory of 2304	228	Algorithm_Converter_Arab-you.exe	110
PID 2304 wrote to memory of 632	2304	Algorithm_Converter_Arab-you.exe	113
PID 2304 wrote to memory of 632	2304	Algorithm_Converter_Arab-you.exe	113
PID 2304 wrote to memory of 5028	2304	Algorithm_Converter_Arab-you.exe	114
PID 2304 wrote to memory of 5028	2304	Algorithm_Converter_Arab-you.exe	114
PID 5028 wrote to memory of 2520	5028	Algorithm_Converter_Arab-you.exe	117
PID 5028 wrote to memory of 2520	5028	Algorithm_Converter_Arab-you.exe	117
PID 5028 wrote to memory of 976	5028	Algorithm_Converter_Arab-you.exe	118
PID 5028 wrote to memory of 976	5028	Algorithm_Converter_Arab-you.exe	118
PID 976 wrote to memory of 4772	976	Algorithm_Converter_Arab-you.exe	121
PID 976 wrote to memory of 4772	976	Algorithm_Converter_Arab-you.exe	121
PID 976 wrote to memory of 3620	976	Algorithm_Converter_Arab-you.exe	122
PID 976 wrote to memory of 3620	976	Algorithm_Converter_Arab-you.exe	122
PID 3620 wrote to memory of 4780	3620	Algorithm_Converter_Arab-you.exe	125
PID 3620 wrote to memory of 4780	3620	Algorithm_Converter_Arab-you.exe	125
PID 3620 wrote to memory of 4912	3620	Algorithm_Converter_Arab-you.exe	126
PID 3620 wrote to memory of 4912	3620	Algorithm_Converter_Arab-you.exe	126
PID 4912 wrote to memory of 536	4912	Algorithm_Converter_Arab-you.exe	129
PID 4912 wrote to memory of 536	4912	Algorithm_Converter_Arab-you.exe	129
PID 4912 wrote to memory of 1628	4912	Algorithm_Converter_Arab-you.exe	130
PID 4912 wrote to memory of 1628	4912	Algorithm_Converter_Arab-you.exe	130
PID 1628 wrote to memory of 2336	1628	Algorithm_Converter_Arab-you.exe	133
PID 1628 wrote to memory of 2336	1628	Algorithm_Converter_Arab-you.exe	133
PID 1628 wrote to memory of 1596	1628	Algorithm_Converter_Arab-you.exe	134
PID 1628 wrote to memory of 1596	1628	Algorithm_Converter_Arab-you.exe	134
PID 1596 wrote to memory of 3536	1596	Algorithm_Converter_Arab-you.exe	138
PID 1596 wrote to memory of 3536	1596	Algorithm_Converter_Arab-you.exe	138
PID 1596 wrote to memory of 3924	1596	Algorithm_Converter_Arab-you.exe	139
PID 1596 wrote to memory of 3924	1596	Algorithm_Converter_Arab-you.exe	139
PID 3924 wrote to memory of 3228	3924	Algorithm_Converter_Arab-you.exe	144
PID 3924 wrote to memory of 3228	3924	Algorithm_Converter_Arab-you.exe	144
PID 3924 wrote to memory of 3036	3924	Algorithm_Converter_Arab-you.exe	145
PID 3924 wrote to memory of 3036	3924	Algorithm_Converter_Arab-you.exe	145
PID 3036 wrote to memory of 4172	3036	Algorithm_Converter_Arab-you.exe	150
PID 3036 wrote to memory of 4172	3036	Algorithm_Converter_Arab-you.exe	150
PID 3036 wrote to memory of 4964	3036	Algorithm_Converter_Arab-you.exe	151
PID 3036 wrote to memory of 4964	3036	Algorithm_Converter_Arab-you.exe	151
PID 4964 wrote to memory of 2848	4964	Algorithm_Converter_Arab-you.exe	154
PID 4964 wrote to memory of 2848	4964	Algorithm_Converter_Arab-you.exe	154
PID 4964 wrote to memory of 4824	4964	Algorithm_Converter_Arab-you.exe	155
PID 4964 wrote to memory of 4824	4964	Algorithm_Converter_Arab-you.exe	155
PID 4824 wrote to memory of 2600	4824	Algorithm_Converter_Arab-you.exe	162
PID 4824 wrote to memory of 2600	4824	Algorithm_Converter_Arab-you.exe	162
PID 4824 wrote to memory of 4732	4824	Algorithm_Converter_Arab-you.exe	163
PID 4824 wrote to memory of 4732	4824	Algorithm_Converter_Arab-you.exe	163

C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
"C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\sat.exe
  "C:\Users\Admin\AppData\Local\Temp\sat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
  "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\sat.exe
    "C:\Users\Admin\AppData\Local\Temp\sat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
    "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Users\Admin\AppData\Local\Temp\sat.exe
      "C:\Users\Admin\AppData\Local\Temp\sat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
      "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        19⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        34⤵
        Checks computer location settings
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        35⤵
        Checks computer location settings
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        36⤵
        Checks computer location settings
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        37⤵
        Checks computer location settings
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        38⤵
        Checks computer location settings
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        39⤵
        Checks computer location settings
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        40⤵
        Checks computer location settings
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        41⤵
        Checks computer location settings
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        42⤵
        Checks computer location settings
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        43⤵
        Checks computer location settings
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        44⤵
        Checks computer location settings
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        45⤵
        Checks computer location settings
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        46⤵
        Checks computer location settings
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        47⤵
        Checks computer location settings
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        48⤵
        Checks computer location settings
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        49⤵
        Checks computer location settings
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        50⤵
        Checks computer location settings
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        51⤵
        Checks computer location settings
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        52⤵
        Checks computer location settings
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        53⤵
        Checks computer location settings
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        54⤵
        Checks computer location settings
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        55⤵
        Checks computer location settings
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        56⤵
        Checks computer location settings
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        57⤵
        Checks computer location settings
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        58⤵
        Checks computer location settings
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\sat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sat.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe"
        59⤵
        
        PID:184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Algorithm_Converter_Arab-you.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Algorithm_Converter_Arab-you.exe

Filesize
497KB

MD5
7e01e34e779c50de84cc3e4321d68b6f

SHA1
31ec2e0168867753e0c649dbaeb92aaafb22f6d3

SHA256
ea2ab2ecedf5c203a42e9b29566ada7f70959f41e23e2346fc38322c2cfe43fa

SHA512
af9f51af435f41b9578c72f163d43abb3edd5bfb27fd7b0e4f83799f0df62bf5a9d8e813bf2aab2fc85414ac3f2997400ac5d833d6c77803c568ba954b6c6414

Download Submit
C:\Users\Admin\AppData\Local\Temp\sat.exe

Filesize
38KB

MD5
e164da45cc32bca07988cacac801769e

SHA1
52a3c61a3d34463fc1af177432d7c479ecdbc516

SHA256
ca900befdbee89117db35225852504d18b34ce00fe0fc079cd6c295204f620f6

SHA512
308c8d12c3f504099f7bba2d0f2a9624a9318a353af8ec13a460ca50b64928a6f39384c80d195e3f431ea7da7b76e0610332f5629af853d61e708869bd23ecb7

Download Submit
memory/628-15-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/628-16-0x00007FFBB60A0000-0x00007FFBB6B61000-memory.dmp

Filesize
10.8MB

Download
memory/628-26-0x00007FFBB60A0000-0x00007FFBB6B61000-memory.dmp

Filesize
10.8MB

Download
memory/628-27-0x00007FFBB60A0000-0x00007FFBB6B61000-memory.dmp

Filesize
10.8MB

Download
memory/2580-0-0x00007FFBB60A3000-0x00007FFBB60A5000-memory.dmp

Filesize
8KB

Download
memory/2580-4-0x00007FFBB60A0000-0x00007FFBB6B61000-memory.dmp

Filesize
10.8MB

Download
memory/2580-1-0x00000000004F0000-0x0000000000570000-memory.dmp

Filesize
512KB

Download
memory/2580-20-0x00007FFBB60A0000-0x00007FFBB6B61000-memory.dmp

Filesize
10.8MB

Download
memory/3968-21-0x00007FFBB60A0000-0x00007FFBB6B61000-memory.dmp

Filesize
10.8MB

Download
memory/3968-22-0x00007FFBB60A0000-0x00007FFBB6B61000-memory.dmp

Filesize
10.8MB

Download
memory/3968-25-0x00007FFBB60A0000-0x00007FFBB6B61000-memory.dmp

Filesize
10.8MB

Download