Malware Analysis Report

2025-04-13 23:03

Sample ID 250322-g2ht3ay1fs
Target archive_7.zip
SHA256 6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f
Tags
collection credential_access discovery persistence spyware stealer dcrat infostealer rat xworm trojan remcos host office04 hacked umbral quasar njrat xenorat neuf defense_evasion privilege_escalation execution vipkeylogger keylogger
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

Threat Level: Known bad

The file archive_7.zip was found to be: Known bad.

Malicious Activity Summary

collection credential_access discovery persistence spyware stealer dcrat infostealer rat xworm trojan remcos host office04 hacked umbral quasar njrat xenorat neuf defense_evasion privilege_escalation execution vipkeylogger keylogger

Umbral

Xenorat family

Detect XenoRat Payload

Umbral family

Dcrat family

Xworm

Remcos

DCRat payload

UAC bypass

Vipkeylogger family

Process spawned unexpected child process

Quasar RAT

Quasar payload

VIPKeylogger

DcRat

Remcos family

Njrat family

Xworm family

Detect Umbral payload

njRAT/Bladabindi

Quasar family

Detect Xworm Payload

DCRat payload

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads WinSCP keys stored on the system

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Browser Information Discovery

Program crash

Detects videocard installed

Checks processor information in registry

outlook_office_path

Uses Task Scheduler COM API

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-22 06:18

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Dcrat family

dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect XenoRat Payload

Description Indicator Process Target
N/A N/A N/A N/A

Njrat family

njrat

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20240903-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2872 set thread context of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 set thread context of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 784 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 784 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 784 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2872 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2872 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2872 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2872 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2872 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2872 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2872 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2872 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2872 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe

"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.192.18.101:80 www.microsoft.com tcp

Files

memory/784-0-0x0000000074841000-0x0000000074842000-memory.dmp

memory/784-9-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/784-1-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/784-10-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/784-11-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/784-23-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/784-24-0x0000000074840000-0x0000000074DEB000-memory.dmp

C:\Users\Admin\AppData\Roaming\app.exe

MD5 52fb55a1222aba62a80fe4888cd5f0a0
SHA1 db6bda74d90463c533a29e49cc715242661d562e
SHA256 e0c3c50f574a2d872991aec7082e075f3813e8c913c679a8e4f5e1d3606eeafd
SHA512 747447b49572c1cb74fdb18d3551beff0e4065270555e1459f13353a8b4c3af7e1bc95ae601d56556728f95717c103b9e8a798d937e34a19c45b04089902d3d8

memory/2872-32-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/784-31-0x0000000074840000-0x0000000074DEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD153.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2872-40-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/2872-41-0x0000000074840000-0x0000000074DEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarDEFB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Roaming\My.RawFile.exe

MD5 5a733ef0de5e31e2e4b4abb016c0f251
SHA1 28644040a6deac35c20fa931b5d003a97293363e
SHA256 a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA512 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

memory/1784-67-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1784-65-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1784-63-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1032-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1784-74-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1784-73-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1784-72-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1784-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1784-69-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2872-87-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/2872-90-0x0000000074840000-0x0000000074DEB000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

74s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe

"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2836-0-0x00007FFF45053000-0x00007FFF45055000-memory.dmp

memory/2836-1-0x00000000003A0000-0x00000000005AA000-memory.dmp

memory/2836-2-0x00007FFF45050000-0x00007FFF45B11000-memory.dmp

memory/2836-3-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

memory/2836-4-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

memory/2836-6-0x00007FFF45050000-0x00007FFF45B11000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250313-en

Max time kernel

123s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Protector.exe" C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe

"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 iznarf.bplaced.net udp
DE 162.55.0.137:80 iznarf.bplaced.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 162.55.0.137:80 iznarf.bplaced.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 iznarf.bplaced.net udp
DE 162.55.0.137:80 iznarf.bplaced.net tcp

Files

memory/32-0-0x00007FF8477F5000-0x00007FF8477F6000-memory.dmp

memory/32-1-0x00007FF847540000-0x00007FF847EE1000-memory.dmp

memory/32-2-0x00007FF847540000-0x00007FF847EE1000-memory.dmp

memory/32-3-0x000000001BC50000-0x000000001C11E000-memory.dmp

memory/32-6-0x000000001C2D0000-0x000000001C332000-memory.dmp

memory/32-7-0x00007FF847540000-0x00007FF847EE1000-memory.dmp

memory/32-5-0x000000001C1C0000-0x000000001C25C000-memory.dmp

memory/32-4-0x00007FF847540000-0x00007FF847EE1000-memory.dmp

memory/32-9-0x00007FF847540000-0x00007FF847EE1000-memory.dmp

memory/32-8-0x0000000000D10000-0x0000000000D18000-memory.dmp

memory/32-10-0x00007FF847540000-0x00007FF847EE1000-memory.dmp

memory/32-13-0x00007FF8477F5000-0x00007FF8477F6000-memory.dmp

memory/32-14-0x00007FF847540000-0x00007FF847EE1000-memory.dmp

memory/32-15-0x00007FF847540000-0x00007FF847EE1000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20240903-en

Max time kernel

18s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2096 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2096 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2096 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2096 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2096 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2640 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2640 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2640 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2708 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 2708 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 2708 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 2708 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2708 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2708 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2692 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 2692 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 2692 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 2692 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2692 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2692 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2584 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2584 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2584 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2584 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2584 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2584 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2576 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2576 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2576 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3060 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3060 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3060 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3060 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3060 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3060 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2924 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2924 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2924 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2924 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2876 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2876 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2876 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2876 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2876 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2876 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1336 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1336 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1336 wrote to memory of 880 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1336 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1336 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1336 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1608 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1608 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1608 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1608 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe

"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/2096-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

memory/2096-1-0x0000000000980000-0x00000000009D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 e0918682feb10b28a39a9cfbf4d2d90c
SHA1 c33f8518747e96955387bac3c8299eea24357fe0
SHA256 8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01
SHA512 dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7

memory/2640-13-0x0000000000EF0000-0x0000000000F36000-memory.dmp

C:\Users\Admin\AppData\Roaming\Output.exe

MD5 3ac2fbaa37549eb0c50eedbca0da41c2
SHA1 a486d241a02989d2adbff9785c7c39e68a2934af
SHA256 815021055de7349aafb51c6788bfd8f1a0f9fc242e842d6b8bf639283a4658fd
SHA512 76ac7165eba850a34e9dd459c538e1e0ceaee09896e711dabc1272c76a0a79b0826124cec4c43d626b390c222367af55b3de452312e51725f994d218cbe0e7f7

memory/2488-75-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

memory/2488-76-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

memory/2488-16-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

memory/2488-9-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20250207-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2912 set thread context of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2344 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2344 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2344 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2912 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe

"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"

Network

Country Destination Domain Proto
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp

Files

memory/2344-0-0x0000000074E81000-0x0000000074E82000-memory.dmp

memory/2344-8-0x0000000074E80000-0x000000007542B000-memory.dmp

memory/2344-9-0x0000000074E80000-0x000000007542B000-memory.dmp

memory/2344-10-0x0000000074E80000-0x000000007542B000-memory.dmp

memory/2912-29-0x0000000074E80000-0x000000007542B000-memory.dmp

memory/2344-28-0x0000000074E80000-0x000000007542B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

MD5 0a18d56f34538070a8a715ec937a8929
SHA1 0ae813ceb71e5dc1e4ace6b1def908041bf4b3b4
SHA256 8a7e36230788c35f10b15313f478cd339dd30e609bf25d56be769a22a8bc0736
SHA512 4264c9e915db1a30901025078828c82c353855f255fbc5ddefe75078dc0f5dc1eaa2a1fe8270c11fc8f051319409fbb2e52938399f51334a43291a7f4a50f8e6

C:\Users\Admin\AppData\Local\Temp\CabDDF0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2912-37-0x0000000074E80000-0x000000007542B000-memory.dmp

memory/2912-38-0x0000000074E80000-0x000000007542B000-memory.dmp

memory/3044-62-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2912-61-0x0000000074E80000-0x000000007542B000-memory.dmp

memory/3044-60-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-59-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-56-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-55-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-52-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3044-48-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-46-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-44-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-42-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-40-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3044-65-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20240903-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a9cd1714a3e518cfd51f84f1be819bf.exe" C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2436 set thread context of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1792 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1792 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1792 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2832 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe

"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.192.18.101:80 www.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp

Files

memory/1792-0-0x0000000074541000-0x0000000074542000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC6E9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1792-1-0x0000000074540000-0x0000000074AEB000-memory.dmp

memory/1792-23-0x0000000074540000-0x0000000074AEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarC6EC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarC986.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 961dcab7b4519de9b2959e37b9acd44d
SHA1 af9819559394cc28e9dace6762ba1ac3a2ab90f6
SHA256 d91056bfdf292f5b7b1e3fd4fc0da907308c4a8a5a28ede7597dc3b52c816ce4
SHA512 0c9bda9646a86489408de99903dce44f42827ce771ebe91efbd4b7475125c9180127d396f729bd48ac61202d1c75784735300f343cdee6f2c81dd0b96ffd45c6

memory/1792-184-0x0000000074540000-0x0000000074AEB000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 d85ce7c078fad704704709cfdf6cc6cc
SHA1 11a6f9f84f7dcda89c4ae1a4da2b5e2dbbdd396e
SHA256 2dcbcee32b967f6559e0aa2d151a0cbedf7f218e25c59437bfc5a27b463ead2d
SHA512 dab904dc1071cce585c2fda5fa70e5acd64985ef3fec7ff3c0f6268dd29d3d687d0d99a607a4a6e5987333e24e98d9740a1d3d942dd410dcb4cc14ee41972870

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 1ea27366e034eb9447a33ce639c01489
SHA1 d12ed3e7e60c65ce90f0a58b9b9e47292caed923
SHA256 788d210ef206a4d11b6b506bf52124ee03fca4e8a9389fad43772202a7e29452
SHA512 e06f7443f0f7ca5db4411aa0718102c08068e95ec305b6b53c0b42a941a877de39f95c7e7514e69316b41a7ac19eaa6ccddc581fe475bdb842ec920691726e49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 4ea113be8aaac780e38eebd189c6f4ec
SHA1 94c79c5ae47fdb125258188bdf8bf5c7647da214
SHA256 e8cc316fbaab36d49e1fd45afb5888bc6af41d89e4f02866f9f393ed8917fe09
SHA512 54699b354150f3eb7db1319e27a9dd6b663396e2183259a6e143c4c4def393498fc797f78896abf0bf4ec3807857b3943ecaed7103d1bf36a379b39c9e80b795

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 3b5e0bd6640456a749d9155e6c135727
SHA1 7d985e42e7df8cac3cf7ec917df10b9fbef09a21
SHA256 c362a3d2b661c6066a02fc169faaa1976c2f6160da5837c7e68b7e0f67b794ed
SHA512 b1b669bad519dccab5224c8fcdb13bb2b015e22fd30ba57e92c9cde4480e655f19f0bbb862db5fd87828d2a3ab74c4a6090f36b6358f9eefe5c82e024afe4a3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 986d462ad9a78fe82b53b4d11378f7bb
SHA1 5486751c9cd15b8859d567760d6515051d0266a0
SHA256 daf8bf7df824637a59589ad97f2939e674f7b6c5ccf0d6186f9214dc14245590
SHA512 5cc6fb85ffbb942bd0e01666cf3cc976155fc3f6c683a6ad8d6e44cabdf04d59b16f17772ba5b88f3bfcf3db92cc5053bc8432efe920fe755ac0080fdb99f5c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40df535c351f239056edfb75868b5198
SHA1 06f70046e3efa59a9fa3803ed7252952087ec38a
SHA256 0f33b43515d31fb3774c03779fff8a50783eff7521dbc18ff37ec9f555c7ac62
SHA512 57c9d6ac831da0ee2bed3cf08500467965fa7e65d2e3bd0af470aac72ffcec43d836f88b80291073650331d82046e14b13bd1ccfb78890c58dd17de38517e813

memory/1792-194-0x0000000074540000-0x0000000074AEB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e8ee1b4414c537fd2a8de0f8b2a055a
SHA1 756824cedb7593bbd72d66adf74e81ed2e93cca8
SHA256 e42360a439b896ac6c8e24befa7114900f2455eae37c8794d2289bc0f70fba77
SHA512 000db366827f53bfd4b6e9624c03337c49ca406dd871f4363d46d93ee03b9e233ab8ed8aa334173668e8a8d4a671337564dbd5c2ddf2151cfed5e87cd8885368

memory/2832-366-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2832-365-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2832-363-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20250207-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe

"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"

Network

N/A

Files

memory/2596-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

memory/2596-1-0x0000000000280000-0x000000000048A000-memory.dmp

memory/2596-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/2596-3-0x0000000000250000-0x000000000025E000-memory.dmp

memory/2596-4-0x0000000000260000-0x000000000026E000-memory.dmp

memory/2596-5-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX5940.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX5DC8.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX5941.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX5E46.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2832 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 5936 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 5936 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2832 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 2832 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 4424 wrote to memory of 2300 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4424 wrote to memory of 2300 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4424 wrote to memory of 5740 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4424 wrote to memory of 5740 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2300 wrote to memory of 5016 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 2300 wrote to memory of 5016 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 5016 wrote to memory of 4908 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5016 wrote to memory of 4908 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5016 wrote to memory of 4700 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5016 wrote to memory of 4700 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4908 wrote to memory of 1996 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 4908 wrote to memory of 1996 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 1996 wrote to memory of 648 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 648 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 1544 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1996 wrote to memory of 1544 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 648 wrote to memory of 1688 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 648 wrote to memory of 1688 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 1688 wrote to memory of 5112 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1688 wrote to memory of 5112 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1688 wrote to memory of 3276 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1688 wrote to memory of 3276 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5112 wrote to memory of 4796 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 5112 wrote to memory of 4796 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 4796 wrote to memory of 4412 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4796 wrote to memory of 4412 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4796 wrote to memory of 5292 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4796 wrote to memory of 5292 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4412 wrote to memory of 4844 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 4412 wrote to memory of 4844 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 4844 wrote to memory of 3720 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4844 wrote to memory of 3720 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4844 wrote to memory of 3548 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4844 wrote to memory of 3548 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3720 wrote to memory of 2644 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 3720 wrote to memory of 2644 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 2644 wrote to memory of 6044 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2644 wrote to memory of 6044 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2644 wrote to memory of 3900 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2644 wrote to memory of 3900 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 6044 wrote to memory of 3964 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 6044 wrote to memory of 3964 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 3964 wrote to memory of 2532 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3964 wrote to memory of 2532 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3964 wrote to memory of 4196 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3964 wrote to memory of 4196 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2532 wrote to memory of 4112 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 2532 wrote to memory of 4112 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
PID 4112 wrote to memory of 5044 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4112 wrote to memory of 5044 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4112 wrote to memory of 2964 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4112 wrote to memory of 2964 N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Windows\System32\WScript.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe

"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Documents\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b6ae157-8b64-43cb-ac10-a948f173177f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\986d70b7-8c75-4058-9f1f-4cf43ce0a349.vbs"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb7bcdea-7451-4191-97bb-7b63583916a8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a76d9b01-68ad-4456-a1a4-00c1be7279e6.vbs"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d8afdd-eb20-4e77-b784-b85e7f9732e7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11a04fb8-89e2-47d7-8e08-bbf933b6c666.vbs"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adae97e0-5685-40c2-a067-5084cdafa210.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6791963a-f45c-4765-beb6-e7982de27768.vbs"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b4b5c5-dbff-4607-8e87-0383aaa9a4e4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbbca99c-bd07-4012-ab91-e0547f958ba5.vbs"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6700d9fb-c70e-4df5-802b-0a60dde3a10d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2010a383-8cfa-4199-ac9e-39e244c1c1de.vbs"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2aa43f5-8e59-4c2f-a2c1-f6e1860f8773.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ae8190-d26a-46e1-b614-1d5a1cceb15e.vbs"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d4f751-9ef0-4884-911e-d5bcc125af2c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30476efc-f3f6-4980-8ce8-6a01e7edc179.vbs"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1789c539-d417-4967-a27b-2073ad42ae17.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b708f5-8b3b-4a9d-812e-f8fab493c2ab.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp

Files

memory/2832-0-0x00007FFD48583000-0x00007FFD48585000-memory.dmp

memory/2832-1-0x0000000000080000-0x000000000026A000-memory.dmp

memory/2832-2-0x00007FFD48580000-0x00007FFD49041000-memory.dmp

memory/2832-3-0x0000000002380000-0x000000000239C000-memory.dmp

memory/2832-6-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/2832-9-0x00000000023F0000-0x0000000002446000-memory.dmp

memory/2832-13-0x000000001AFA0000-0x000000001AFB2000-memory.dmp

memory/2832-11-0x000000001AF90000-0x000000001AF98000-memory.dmp

memory/2832-10-0x0000000002490000-0x000000000249C000-memory.dmp

memory/2832-15-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

memory/2832-20-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

memory/2832-17-0x000000001AFF0000-0x000000001AFFE000-memory.dmp

memory/2832-19-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

memory/2832-18-0x000000001B000000-0x000000001B008000-memory.dmp

memory/2832-16-0x000000001AFE0000-0x000000001AFEA000-memory.dmp

memory/2832-14-0x000000001C060000-0x000000001C588000-memory.dmp

memory/2832-8-0x00000000023D0000-0x00000000023DA000-memory.dmp

memory/2832-7-0x00000000023B0000-0x00000000023C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCX54A9.tmp

MD5 192f0f1221e376146e725a4d23ee69a0
SHA1 9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff
SHA256 019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d
SHA512 daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54

memory/2832-5-0x0000000000B80000-0x0000000000B88000-memory.dmp

memory/2832-4-0x0000000002440000-0x0000000002490000-memory.dmp

C:\Users\Default\Documents\sysmon.exe

MD5 580e5064ca4b779d1d09219a657b7d50
SHA1 4f8ea6b2f6a4a6d7b8557a5f77278bbf6b8f7161
SHA256 2a6b133585b2961795c3cbb04a618a8686fee464bb3419e337140f9ded074dff
SHA512 85c088a2263d6341adf1837beb64e5369482c27cd1108e7f7637a4cf3d206c817bfa6f1ed1cfdaca4f3e8f612202125c63981debe2ac0f1052d1b16dd2023e77

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

MD5 b7894080a21eb5a3bce7689afbb0522f
SHA1 e4b1e9b8c5457b36927b850a1efd2a13c47357de
SHA256 a639a90c71371f8ea6c9caf3a8f8ac932bd5e94ebbd8a94ba80bb7646862130b
SHA512 dbd9c611da30593733a8cf7a030c0a56a53b1050811cdfd22d0a2d5754b9212a3a09994e12617e9918b7e08784dbc4105bdacf67cec7ef7d96f3b4f56db79f3e

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rg2ywzog.5go.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4028-138-0x00000219EDF90000-0x00000219EDFB2000-memory.dmp

memory/4424-186-0x00000000003C0000-0x00000000005AA000-memory.dmp

memory/2832-187-0x00007FFD48580000-0x00007FFD49041000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 084d49c16a0db5a169356315e8e97d83
SHA1 af662c8666ef7c52c9711c0f143e0b8620f27d19
SHA256 a374d799d8b4b9c2cac922c093a90cbaf6d0bda3155faf176c6f95b46b8f35d2
SHA512 c14524f55f0e58bb64a99298b82d995136a0057c2a7e4e972b9c90477871ae416063318ba8b7f43a4fc66ca8b21eca26505645c4d195fe3ab9419c8d35a459fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ffb4808be0aaa918b807bb4dd4f5e080
SHA1 8895ae463a633e1201ed09468acc86e1e57a838b
SHA256 26fb93195d69045c08c9720cd9291fec8cb24fe49f5dd2604c26d6873f41c3b2
SHA512 7370e92e6c097ee52ef4d3e3b9ccbf482bbd3603bb25355c84c4c1599c94c8d0d4edc230d7db1ab8dd4d34c40afec839187fa5db46d48c58802e9e3107414ed9

memory/4424-199-0x000000001CD50000-0x000000001CDA6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 842369b08704bbddf9de4d90016e58dd
SHA1 8bc3da656c08abbc14c58201e65b0dc823964bea
SHA256 cbf20404c609c0792de4320ac3fa1806269cf5d97420565e3f43d409a11a2808
SHA512 8f6cc3419f04b1cb4e6c7986ad9fb8a43fb380fee263937e223d8a5269aec918c2c8cd362ee708de0ded3a533f4cd43624d606f45b37e128bec52ada30c43b42

C:\Users\Admin\AppData\Local\Temp\0b6ae157-8b64-43cb-ac10-a948f173177f.vbs

MD5 93e69e1ff8482f031b35d40d2ef71303
SHA1 d77127acce0290e180676f139fcaf8335af765b2
SHA256 9081711b1675f592ace8cdf863fc0d8ee9b611a7f0ff3844914846277f62a8d2
SHA512 44eb6228484aeed97f6d96cc4f94e046adb2ddd129b2145fa71e1d834a8d3a6640b2b6c73af0f18da1344ebe06e22fce19524a9b3a825bf39d3e0a8addec0e23

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 364147c1feef3565925ea5b4ac701a01
SHA1 9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA256 38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512 bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

C:\Users\Admin\AppData\Local\Temp\a76d9b01-68ad-4456-a1a4-00c1be7279e6.vbs

MD5 70001a75882477b11b14ead821e0041c
SHA1 bc61badbf3c0b0e20506b7205db00040035fcbce
SHA256 0163fece010a4d0cfd72d263786e1f7dafa903dd8bb4dcb190f88da1d7e2f2ef
SHA512 9b02297879ffb5b5c5ed99ce87d9bb4e10d18c12c0da25bc6a4d799b3e827d9274bc7d6e6bf2a10112dab6adfcca47fd1933efc9ca8a751d2b30f5a0e63d277e

C:\Users\Admin\AppData\Local\Temp\eb7bcdea-7451-4191-97bb-7b63583916a8.vbs

MD5 cb9b41199d53f23bd89d4d8fd909a9db
SHA1 fe7dc4654ec51deda888f6b96e5337297f9a8c69
SHA256 848bda3d52d9c1443ec77e96eceeeabea683e8b9aa93e83c12e4e1f2a9e76e63
SHA512 565dcf2e1d438b1e2e5a43faa4370b3d95bd24b96a8e2fc82c34fa6b12cb100e16b6871ae9ed9f3108f928ec29c95dac951fc77601f189aa40ccd7f96b91affa

C:\Users\Admin\AppData\Local\Temp\75d8afdd-eb20-4e77-b784-b85e7f9732e7.vbs

MD5 ee37f0cb0dffd9aa549a48dc18ac09ec
SHA1 604645fe606098e8163aba99dda3870b3b02daa0
SHA256 59283d2cba9109742391c88ce249e395bda4a76121e900b3a8b87f923c9203a2
SHA512 37134845e7c5c3b49e4db2cea5b99beeb1c1fc4fd1a3d5cd5daf521833507707ec6d08e272d75048bc5224a37538824bbcd6c8b43c851a283eea74403d4053ee

memory/1688-233-0x000000001BDF0000-0x000000001BE02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\adae97e0-5685-40c2-a067-5084cdafa210.vbs

MD5 ba6115ad6f7d86261f8c6f87a007a44a
SHA1 4356173d94a391cf9d8300561864e11302b2a101
SHA256 d540ed9f50e9fae86ada2e15a683a26ff7f44289b640841c1c8b84014233cbf5
SHA512 bad9ba2c46f02281c2961f9b45bad5298c4f0e4e333f0b8f75cbf2104608b832bef3ca97fa2f83077cf2e867fdf9366ad7d551606a33f0b1ccb9e0bf97e2e1f4

C:\Users\Admin\AppData\Local\Temp\b0b4b5c5-dbff-4607-8e87-0383aaa9a4e4.vbs

MD5 0810b2bf273f247893a309e7c28f2f77
SHA1 ce453f4c13e8c82b84d7ae489d483a6fc020844b
SHA256 1acb333b8f6649a966339896ca11f92b5b08106443a0a340e3986cb25d59ccef
SHA512 e392e0dd705af82cb4dcb686036f983d98de520e57b7510f3420dd9b7f23d129c51b3a23ca75c49cf714dee3704eb5a60dc24c9a19462b09c173de7c3ef267d0

C:\Users\Admin\AppData\Local\Temp\6700d9fb-c70e-4df5-802b-0a60dde3a10d.vbs

MD5 b8739458d1e32adb250fb571d618a0e8
SHA1 aec28b21fc530f20e364f63597e282bdf7820b25
SHA256 b348155d09610b0027d2af8ced9f13d674076e6bc57e5bb8fb1170cf2d684be0
SHA512 77ca8c26988b44941023083784b069a089c48067bdcac8c0868f331e7b3daa917e164f6ac7e2cc83492739515f895153d97289503528aec56b7eeb2926189664

C:\Users\Admin\AppData\Local\Temp\b2aa43f5-8e59-4c2f-a2c1-f6e1860f8773.vbs

MD5 b26b53442243ddf60685b746c32a0e07
SHA1 aa585329e3921ac1a530a6e9598746e6058fba09
SHA256 ccde0b0a1c225eae73a5b51ff720c1859eade7ae1bfa04a8826d8e37600c5ab5
SHA512 a49ffb4e8c216c1b91ae43b591af07d7af6d7560fde075e2ae4fdc2b58f1fa40fbaa30346b6a4d7e62eaf82a033d5430208b22540d49aaadbbefe0bafe3cbba9

memory/3964-278-0x000000001D240000-0x000000001D252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\58d4f751-9ef0-4884-911e-d5bcc125af2c.vbs

MD5 0a2e3215745ff4c5b946949b2fe2fbf4
SHA1 4aea9d97e32f82ec670a9e9e02b1e20ee2f1c627
SHA256 cd3e08e48e2030fa770869ddbce520198a001e47895c79f069b1f65269606977
SHA512 94fd68ff0f253697264141ea0039eb9e6b86940eb8f1d20c2c1c73fbe6e74baac474f7d4163eccbc90ff7b0e4f7d69909adee3aa4cfffcde3a93227d5a884ec2

C:\Users\Admin\AppData\Local\Temp\1789c539-d417-4967-a27b-2073ad42ae17.vbs

MD5 b7ecc58b7f6d397feb464dd173641da7
SHA1 a4bb906602e86f8df5d5f8efdcfbc00fc4bd1505
SHA256 6a55cf218a931fa5c0553f356211aa3c5e61d5f9e1f4717401f22fee98d65a87
SHA512 209b2d9aba98c6db84e41019aee110a3e0aee085ed21c40a0647c6f86a7d4a2073ef929636221569cea72aaf70f27783d3a9fe2bff71772a94ee9e2ed2c1e05d

Analysis: behavioral10

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

132s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4580 set thread context of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4580 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4580 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 4580 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 4580 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 4580 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4580 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4580 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4580 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4580 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4580 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4580 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4580 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LbXyTV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbXyTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBBE.tmp"

C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.48.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/4580-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

memory/4580-1-0x0000000000BF0000-0x0000000000CA2000-memory.dmp

memory/4580-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

memory/4580-3-0x00000000056F0000-0x0000000005782000-memory.dmp

memory/4580-4-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/4580-5-0x00000000056B0000-0x00000000056BA000-memory.dmp

memory/4580-6-0x00000000069C0000-0x00000000069D0000-memory.dmp

memory/4580-7-0x00000000748CE000-0x00000000748CF000-memory.dmp

memory/4580-8-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/4580-9-0x0000000006A10000-0x0000000006A9E000-memory.dmp

memory/4580-10-0x000000000A5D0000-0x000000000A66C000-memory.dmp

memory/2140-15-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/2140-16-0x0000000002370000-0x00000000023A6000-memory.dmp

memory/2140-17-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/2140-18-0x0000000004E60000-0x0000000005488000-memory.dmp

memory/4844-22-0x00000000053D0000-0x0000000005436000-memory.dmp

memory/2140-33-0x0000000005680000-0x00000000059D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_foyrrmvz.av4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmpBBBE.tmp

MD5 74462885d88a62da553d1f1ac504321a
SHA1 e51b459fdffb9b36418af5199e7ad9049abdecd3
SHA256 0c8200e36b80511ecfc6efa6f24d5fc8ed50c8732ec08c7645e1b92c8e32446b
SHA512 96b8323bfa2d0549c355f9edd81e89717a3cc3e14f47a40e7b4a20d509dd5b983a301d3845af770eae0450f9adf7af962180919ec365022558cec214b4df6040

memory/4844-21-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/4844-20-0x0000000005360000-0x00000000053C6000-memory.dmp

memory/4844-19-0x00000000052B0000-0x00000000052D2000-memory.dmp

memory/4844-40-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/5788-44-0x0000000000400000-0x0000000000448000-memory.dmp

memory/4580-47-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/4844-45-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/4844-48-0x0000000006380000-0x000000000639E000-memory.dmp

memory/4844-49-0x0000000006410000-0x000000000645C000-memory.dmp

memory/4844-61-0x0000000006980000-0x000000000699E000-memory.dmp

memory/4844-51-0x0000000070F50000-0x0000000070F9C000-memory.dmp

memory/2140-63-0x0000000070F50000-0x0000000070F9C000-memory.dmp

memory/4844-62-0x0000000007570000-0x0000000007613000-memory.dmp

memory/4844-50-0x0000000006940000-0x0000000006972000-memory.dmp

memory/2140-74-0x0000000007600000-0x0000000007C7A000-memory.dmp

memory/4844-73-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/2140-75-0x0000000007030000-0x000000000703A000-memory.dmp

memory/2140-76-0x0000000007240000-0x00000000072D6000-memory.dmp

memory/2140-77-0x00000000071C0000-0x00000000071D1000-memory.dmp

memory/2140-79-0x0000000007200000-0x0000000007214000-memory.dmp

memory/4844-78-0x00000000078D0000-0x00000000078DE000-memory.dmp

memory/2140-80-0x0000000007300000-0x000000000731A000-memory.dmp

memory/4844-81-0x00000000079C0000-0x00000000079C8000-memory.dmp

memory/4844-85-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/2140-84-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/5788-86-0x0000000006EA0000-0x0000000007062000-memory.dmp

memory/5788-87-0x0000000006D20000-0x0000000006D70000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250313-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a9cd1714a3e518cfd51f84f1be819bf.exe" C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3344 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3344 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 976 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 5024 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 5024 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 5024 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe

"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 80

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 80

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp

Files

memory/3344-0-0x00000000749D2000-0x00000000749D3000-memory.dmp

memory/3344-1-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/3344-2-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/3344-7-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/3344-6-0x00000000749D2000-0x00000000749D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 9c128ec6111b20f64d7dd0d7cbc1261f
SHA1 e3572f7846f7411a5680677dc2dc065740874a39
SHA256 2736418dd3b86592668eb3a2057b6cd4048739d23754a7519e394677ef955181
SHA512 046e35d22185d04f4be1fe9f737c9d0c97073ba1f4cdbd092cda444cf1c166b41b62033e8fed7fc3b98901f73bcc1850b0d7957d5c848f8278cc066eb9d8c90c

memory/976-22-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/976-21-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/976-20-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/3344-19-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/5024-31-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/5024-33-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/976-32-0x00000000749D0000-0x0000000074F81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/5024-23-0x0000000000400000-0x000000000040C000-memory.dmp

memory/5024-34-0x00000000749D0000-0x0000000074F81000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\SchCache\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\SchCache\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\SchCache\RuntimeBroker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SchCache\RuntimeBroker.exe N/A
N/A N/A C:\Windows\SchCache\RuntimeBroker.exe N/A
N/A N/A C:\Windows\SchCache\RuntimeBroker.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Client\Registry.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\edge_BITS_4596_217729105\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\RCX67D4.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\edge_BITS_4596_217729105\RCX6F1E.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\Registry.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\RCX67E5.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\edge_BITS_4596_217729105\RCX6EA0.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SchCache\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\SchCache\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\SchCache\RCX6C0E.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\SchCache\RCX6C8C.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\SchCache\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\SchCache\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\SchCache\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\SchCache\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SchCache\RuntimeBroker.exe N/A
N/A N/A C:\Windows\SchCache\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SchCache\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SchCache\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SchCache\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 5808 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 5808 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 5576 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 5576 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\cmd.exe
PID 4440 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\cmd.exe
PID 5124 wrote to memory of 4152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5124 wrote to memory of 4152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5124 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\SchCache\RuntimeBroker.exe
PID 5124 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\SchCache\RuntimeBroker.exe
PID 3452 wrote to memory of 5596 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3452 wrote to memory of 5596 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3452 wrote to memory of 3816 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3452 wrote to memory of 3816 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5596 wrote to memory of 5580 N/A C:\Windows\System32\WScript.exe C:\Windows\SchCache\RuntimeBroker.exe
PID 5596 wrote to memory of 5580 N/A C:\Windows\System32\WScript.exe C:\Windows\SchCache\RuntimeBroker.exe
PID 5580 wrote to memory of 6056 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5580 wrote to memory of 6056 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5580 wrote to memory of 4708 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5580 wrote to memory of 4708 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 6056 wrote to memory of 3928 N/A C:\Windows\System32\WScript.exe C:\Windows\SchCache\RuntimeBroker.exe
PID 6056 wrote to memory of 3928 N/A C:\Windows\System32\WScript.exe C:\Windows\SchCache\RuntimeBroker.exe
PID 3928 wrote to memory of 644 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 644 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 4912 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3928 wrote to memory of 4912 N/A C:\Windows\SchCache\RuntimeBroker.exe C:\Windows\System32\WScript.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SchCache\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/7e20f84d5244aba7145631d4073af8/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/d25f591a00514bc9ba8441/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qBGrhynT9k.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SchCache\RuntimeBroker.exe

"C:\Windows\SchCache\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ba4ddaa-2c4c-440c-91ea-27a1f3bfde1a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d2ed16b-a161-447d-b2d2-35a36bb2eea3.vbs"

C:\Windows\SchCache\RuntimeBroker.exe

C:\Windows\SchCache\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20626e4a-0faf-4ef3-8ddf-a195b3f2a6e8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e7969a5-c762-4775-ad8b-e59e5d56ba70.vbs"

C:\Windows\SchCache\RuntimeBroker.exe

C:\Windows\SchCache\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\016572c6-dcbe-4182-ba74-32fa00f2c5ad.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71eb074a-ff8c-4127-bcc0-fbc231863966.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0889572.xsph.ru udp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp

Files

memory/4440-0-0x00007FFB5C993000-0x00007FFB5C995000-memory.dmp

memory/4440-1-0x0000000000360000-0x0000000000C58000-memory.dmp

memory/4440-2-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/4440-3-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmp

memory/4440-4-0x0000000001420000-0x000000000142E000-memory.dmp

memory/4440-5-0x0000000001430000-0x000000000143E000-memory.dmp

memory/4440-6-0x0000000001440000-0x0000000001448000-memory.dmp

memory/4440-7-0x0000000002E90000-0x0000000002EAC000-memory.dmp

memory/4440-8-0x0000000003030000-0x0000000003080000-memory.dmp

memory/4440-10-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/4440-9-0x0000000002EB0000-0x0000000002EB8000-memory.dmp

memory/4440-13-0x0000000003020000-0x0000000003032000-memory.dmp

memory/4440-12-0x0000000003010000-0x0000000003018000-memory.dmp

memory/4440-11-0x0000000002FF0000-0x0000000003006000-memory.dmp

memory/4440-14-0x0000000003090000-0x000000000309C000-memory.dmp

memory/4440-15-0x0000000003080000-0x0000000003088000-memory.dmp

memory/4440-16-0x00000000030A0000-0x00000000030B0000-memory.dmp

memory/4440-17-0x000000001B980000-0x000000001B98A000-memory.dmp

memory/4440-18-0x000000001BAC0000-0x000000001BB16000-memory.dmp

memory/4440-19-0x000000001B990000-0x000000001B99C000-memory.dmp

memory/4440-20-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

memory/4440-21-0x000000001BB10000-0x000000001BB1C000-memory.dmp

memory/4440-22-0x000000001BB20000-0x000000001BB28000-memory.dmp

memory/4440-24-0x000000001D2F0000-0x000000001D302000-memory.dmp

memory/4440-25-0x000000001D850000-0x000000001DD78000-memory.dmp

memory/4440-33-0x000000001D580000-0x000000001D58A000-memory.dmp

memory/4440-41-0x000000001D600000-0x000000001D60C000-memory.dmp

memory/4440-40-0x000000001D700000-0x000000001D70A000-memory.dmp

memory/4440-39-0x000000001D5F0000-0x000000001D5F8000-memory.dmp

memory/4440-38-0x000000001D5D0000-0x000000001D5DC000-memory.dmp

memory/4440-37-0x000000001D5C0000-0x000000001D5C8000-memory.dmp

memory/4440-36-0x000000001D5B0000-0x000000001D5BE000-memory.dmp

memory/4440-35-0x000000001D5A0000-0x000000001D5A8000-memory.dmp

memory/4440-34-0x000000001D590000-0x000000001D59E000-memory.dmp

memory/4440-32-0x000000001D570000-0x000000001D57C000-memory.dmp

memory/4440-31-0x000000001D5E0000-0x000000001D5E8000-memory.dmp

memory/4440-30-0x000000001D360000-0x000000001D36C000-memory.dmp

memory/4440-29-0x000000001D350000-0x000000001D35C000-memory.dmp

memory/4440-28-0x000000001D340000-0x000000001D348000-memory.dmp

memory/4440-27-0x000000001D330000-0x000000001D33C000-memory.dmp

memory/4440-26-0x000000001D320000-0x000000001D32C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCX65C0.tmp

MD5 5d8505501b7faa4c7e541b0a32467a58
SHA1 ed0b9de10c38774af49d9279e25a8958817f33a7
SHA256 1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca
SHA512 a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9

C:\Windows\SchCache\RuntimeBroker.exe

MD5 22a708087242dc27cf3b2287dcef9c54
SHA1 edfd010cb5168ed11f6e527011862f0341f41257
SHA256 b14a69a55e6297ed6f45ff0142f11882c237dd1ec5f6d754ba81afeb79f82a5d
SHA512 e7c46dcc261bb1bee2c4c7460a31f88191c44fd69d276ac4b68c91192fe4c541db42443fb25c1616ff00d254a52e7eaea2c74813a34135eeb2f0356f63e999ef

C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe

MD5 c4f20b3daec8da9201a5db7645dbecbc
SHA1 6840df79e3192739090b6e2eb73a02069493d920
SHA256 93f7c3241d7f7ddd215eca92edc2c0f75588e1655bf3e82c9a4144cbce37f312
SHA512 980aa912418c7182fb5d95e641ed33fcdbbda33b819a300b39478f46cd3e024a342533248a5feb5adbece9dd48f7b0343dd8b49fae6c1484f2486304ad68201e

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45q3dq30.1kd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/884-125-0x000001D07E230000-0x000001D07E252000-memory.dmp

memory/4440-144-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qBGrhynT9k.bat

MD5 419c283ac4129c67d4061846103ce2b4
SHA1 6fe7c117266cd2ade613ea82cf639b209ee1139f
SHA256 d5ebc5a4678364498c5803df0eddf506fdee8761edbdc699cffc325d814480f5
SHA512 774f71852835b8f67f78f547244aab11422e4732ad50f17e8a5a2db7b219ed6a76dd92f5eebbfa26e47a337e4b4630519d0848328565137c5220f01025df7ba2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 856d4328f99937476c1d34b5a03daaf8
SHA1 367f439b74760c236f1a95cf5d7de28ff3ec4b40
SHA256 6159722066119c162ed49973d2852c8c4420d89fcc78e69e2e7317a53f85cca1
SHA512 7782c1f714d9c21512b46f0c3caa1c475d304f0fd9b6c4537b3c4ac3b3a5ec9a6ee83d5240867364c34c8ac7a751f90aacce6d952d5ea17af834c65a5ef5d91e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 672e8b21617ca3b368c6c154913fcfff
SHA1 cb3dab8c008b5fba2af958ce2c416c01baa6a98b
SHA256 b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec
SHA512 98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c56ba5098c530bbd1cdb28d50090d39
SHA1 ff63178ea722ec2db118c81051bf85544fb6b316
SHA256 0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1
SHA512 cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a39de506d9f3cb0eef9451868bf8f3ff
SHA1 183758ff7964ae923989989be46a822e0d4dc37f
SHA256 d982bcb0bdbe495e997ead8d128c2f8f0bb66c41fc5e0142d4fb5bf9193e1416
SHA512 041df31ed5f2668dcf99143cbffcc7891394f33c6229f2459cba2226f07a8fcf31e072db62c6735fdb4b9fbc103998094a735a285db84a69bb7d983ffb96efaa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f3d606f9a5f1201bfc1f01c54e842c4
SHA1 f1917e50b557b135953ecbe63e1fc1e675b541f1
SHA256 dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a
SHA512 d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f0db2be09ea50e93f81f83a58fdc049
SHA1 862883227880dde307538079454109d35f39723e
SHA256 b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d
SHA512 a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ea2f44a25582e20c2e1d21c73bbd4fa1
SHA1 d63ef1804bad1a542aeb3cf5111cd86a9111d7a1
SHA256 43ec39d124ebadf53f254b9aef5f1d2f73526a681682d0409af5e34beb8737d8
SHA512 49ed57cd127b56793cf2bc1dfae0ccb45d3a9eaaf9475ea7ec65b4d6782c0b846b832bedfa19e65c4b54d7a7b19dfd177bfcb3e0fadad8640c4bb6515ee2c835

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 354ebb8d437ee057dacfef36baced4e9
SHA1 30460dbe64847ebb524d7d1fd5b9bf8a851a7626
SHA256 bcf3ba98af6ee96a3eba9bbc6bdb2ae36b883f5f1e9cdad2974cbbcb9c102237
SHA512 1f2cb272ad33df6e34949ac4d60ec0702316d9e21992be52cd9c6abd846472e7c868a8e96b5922b016e7952e460671e5768d007e28d84940a1b956eef4705b53

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 990f2ad22e4ee8bb16d0e84568ff1c04
SHA1 8ee103c2c4969dd252d3f136479e718361e2ace2
SHA256 9e058905555242348650ecae8008fd39cf63bac0f3160637aab912fd54fd2578
SHA512 ab70a31915f4241c23a020a0e1c8ad5b2468c06911ceb4418b5377619953780f14070a2674858b1a7d999b356448ffdb51db6393e56f20defb291866383f5802

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3452-255-0x0000000000DF0000-0x00000000016E8000-memory.dmp

memory/3452-257-0x000000001D370000-0x000000001D382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0ba4ddaa-2c4c-440c-91ea-27a1f3bfde1a.vbs

MD5 9d2cb3a1c306ab483d679cbc4501b77b
SHA1 3c164647f53162cd52a36e101e9e0564ed5564d0
SHA256 7153cdad4019e129359209facf9def753001fe5feb4b589e95de99cbd700097b
SHA512 ea042c73f6e931219ee1731879d7b9d635239848998a232c16c9907130a7d91bb49974cd35b355166f2befb5cd21f12713964bb4a95be1115fbe369b2e27e2bf

C:\Users\Admin\AppData\Local\Temp\7d2ed16b-a161-447d-b2d2-35a36bb2eea3.vbs

MD5 e066f2f4b6ad5a9d0ea363ecb06f39fb
SHA1 11475ba0dc83b982056b11bca29b76a0c0669359
SHA256 8fdb7c35e437cd511fbc0ef39569c3ed897ce87d37e8f4e2055debd005f5638c
SHA512 0db1a7449c6cf1eb814ed802bb3492a8d56e6cb31b139241d59b5b7972288a748c6698da2ddf3ad925a8bd57ada3fe8889fc58a0cc42d619c8e0f365ccb4db62

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 229da4b4256a6a948830de7ee5f9b298
SHA1 8118b8ddc115689ca9dc2fe8c244350333c5ba8b
SHA256 3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11
SHA512 3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

C:\Users\Admin\AppData\Local\Temp\20626e4a-0faf-4ef3-8ddf-a195b3f2a6e8.vbs

MD5 df51fa1d2b197e92d0c729951cb4eacb
SHA1 2bc7bf81c37accb381f81c83bccef9bf49ee719d
SHA256 c180f6165ba171d913f166fefed5f69c040e3d20ba96435c4b728daac1d85fa4
SHA512 6f26152fdb48083366608bad541ba556ff8f65cce319acb13c9dbd2aa3aa66776f47c436023400a52743c2a7092f276ed1308dab2515f339acb32dcad867bff4

memory/3928-283-0x000000001DB00000-0x000000001DB12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\016572c6-dcbe-4182-ba74-32fa00f2c5ad.vbs

MD5 0c7e8ce20911836f15b1542c555e8dcc
SHA1 0bd49cfd05078cceeb0aa301133f33dab95cbba9
SHA256 0ca836d9c5ff38e389e3aa620d9b2ee26b4d4e7185b1a6ce8db89ac5d617b074
SHA512 99a78e24f46d98c088e9339cb83adf08348c532888ccce3aa76e98f69778a6b90bf43ecaeed0e56ce754d76f173b85e91e8808babd2559cd8f50ddef0d1df4bd

Analysis: behavioral9

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2348 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2348 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2348 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LbXyTV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbXyTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0B5.tmp"

C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.112.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2348-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

memory/2348-1-0x0000000001270000-0x0000000001322000-memory.dmp

memory/2348-2-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/2348-3-0x0000000000540000-0x0000000000550000-memory.dmp

memory/2348-4-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

memory/2348-5-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/2348-6-0x0000000004EA0000-0x0000000004F2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABCJFME44B4CV80LK6HC.temp

MD5 dcbaa970f0757370ee49b3f0c7b7285b
SHA1 75915ebf67e6e1a7f6c93610711645cdac8a653e
SHA256 378ddb79ce32e7244786209333123fc77b9ee33d9a0aaa31f6e2842353f6fc99
SHA512 f2f98a190eb20a1098d416e93002af3130a76f88c6809a0d41b62d46d49e74f77e01ffa2ba0554d9e94c2cc77a454adaf61424b42b5f71fb52da15871f3258dd

C:\Users\Admin\AppData\Local\Temp\tmpF0B5.tmp

MD5 466b40fe54d1ea6c03f569d5bb3607e2
SHA1 1699e64c15e44b536752d2bd40799ffffbea167c
SHA256 d6e49379d1626cb5811940cfb7b29b40cc313c6986b80388ed603db300ac4dc2
SHA512 6566bff61ee5c8c730372e65fc2dd7088d94ddd5c5a796adfb2efcde2052585da18693b55173c58cadfb7a800baed853760f82c5b3a97fd3338634e5ff5dda6a

memory/2752-30-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2752-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2348-31-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/2752-28-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2752-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2752-23-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2752-21-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2752-19-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20241010-en

Max time kernel

130s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Protector.exe" C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe

"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iznarf.bplaced.net udp
DE 162.55.0.137:80 iznarf.bplaced.net tcp
DE 162.55.0.137:80 iznarf.bplaced.net tcp
DE 162.55.0.137:80 iznarf.bplaced.net tcp

Files

memory/2848-0-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

memory/2848-1-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2848-2-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2848-3-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2848-4-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2848-5-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2848-8-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

memory/2848-9-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/2848-10-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\sk-SK\RCXA564.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Windows\System32\sk-SK\RCXA565.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Windows\System32\sk-SK\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\edge_BITS_4732_595216890\services.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\edge_BITS_4680_1850129863\f11cf609cd2375 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\edge_BITS_4732_595216890\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX9EC6.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\services.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\edge_BITS_4732_595216890\RCXA855.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\edge_BITS_4732_595216890\RCXB36A.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\edge_BITS_4732_595216890\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\edge_BITS_4732_595216890\services.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\edge_BITS_4732_595216890\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\edge_BITS_4732_595216890\RCXA7E7.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\services.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\edge_BITS_4680_1850129863\RCX9CB1.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\edge_BITS_4680_1850129863\RCX9CB2.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX9EC7.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\edge_BITS_4732_595216890\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\edge_BITS_4732_595216890\RCXB36B.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Speech\Engines\Lexicon\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Windows\Speech\Engines\Lexicon\RCXAEE2.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Windows\Speech\Engines\Lexicon\RCXAEE3.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5176 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5176 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5928 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5928 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\cmd.exe
PID 2180 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\cmd.exe
PID 2332 wrote to memory of 3560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2332 wrote to memory of 3560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2332 wrote to memory of 3572 N/A C:\Windows\System32\cmd.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 2332 wrote to memory of 3572 N/A C:\Windows\System32\cmd.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 3572 wrote to memory of 4560 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3572 wrote to memory of 4560 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3572 wrote to memory of 996 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3572 wrote to memory of 996 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4560 wrote to memory of 3244 N/A C:\Windows\System32\WScript.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 4560 wrote to memory of 3244 N/A C:\Windows\System32\WScript.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 3244 wrote to memory of 2360 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3244 wrote to memory of 2360 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3244 wrote to memory of 548 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3244 wrote to memory of 548 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2360 wrote to memory of 4756 N/A C:\Windows\System32\WScript.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 2360 wrote to memory of 4756 N/A C:\Windows\System32\WScript.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 4756 wrote to memory of 3352 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4756 wrote to memory of 3352 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4756 wrote to memory of 2648 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4756 wrote to memory of 2648 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3352 wrote to memory of 1152 N/A C:\Windows\System32\WScript.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 3352 wrote to memory of 1152 N/A C:\Windows\System32\WScript.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 1152 wrote to memory of 5584 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1152 wrote to memory of 5584 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1152 wrote to memory of 2812 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1152 wrote to memory of 2812 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5584 wrote to memory of 4964 N/A C:\Windows\System32\WScript.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 5584 wrote to memory of 4964 N/A C:\Windows\System32\WScript.exe C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
PID 4964 wrote to memory of 5804 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 4964 wrote to memory of 5804 N/A C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4732_595216890\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sihost.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XeGdH0U8sJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

"C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0c5fc13-d501-4833-9b9b-2f080c1c8aaa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a79a36d-291c-4c41-a4e1-ce73bfd5be23.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239e4973-5b62-442b-9de7-006ed6a8a33a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29977282-8079-4515-abe5-95d953d4d2e7.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86e9093d-cfd8-4f3c-89b1-c4cc91329d80.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a0d340d-5da3-465a-b7c6-c63eca7fb974.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba6a0cf-f68f-41a4-9e7a-e7243952869a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c72cc37-3e9c-428a-9a57-6cf126c94b89.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ec648c8-1a84-4dd5-ad79-9f0512d16478.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51408b74-5209-4e9d-b34f-994d528be8c5.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4c3d2b5-daef-4164-abe0-b84a7d8560d3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02724ef0-5704-4728-b259-f0ec34b3f4cb.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\821b7e38-7e51-4bcc-a17e-12564ee68448.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cf45963-e3ec-464e-b072-bde9404bf4cd.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aba768da-aa2e-42b0-ba71-4d52689d6e04.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a40fb0b-9503-440c-b053-ed4004efd2ff.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\358be680-2edf-4b05-9c24-bcc49573f997.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d6ae010-d3de-4322-b7bf-6677de9dfa0a.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6333a880-14b3-4f87-8e0c-51f77801efe1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df513f0-9eab-4cfb-928d-280ba06f91cb.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf4002af-6d93-4c21-97ce-fba11d964f3b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\023f77f7-844f-45b0-905c-a371be847a67.vbs"

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe

Network

Country Destination Domain Proto
RU 62.109.4.67:80 62.109.4.67 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
GB 142.250.187.195:80 c.pki.goog tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp

Files

memory/2180-0-0x00007FFFDCC23000-0x00007FFFDCC25000-memory.dmp

memory/2180-1-0x0000000000CB0000-0x0000000000E52000-memory.dmp

memory/2180-2-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp

memory/2180-7-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

memory/2180-11-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

memory/2180-17-0x000000001BB90000-0x000000001BB9C000-memory.dmp

memory/2180-16-0x000000001BB80000-0x000000001BB8A000-memory.dmp

memory/2180-15-0x000000001BB70000-0x000000001BB78000-memory.dmp

memory/2180-14-0x000000001BB60000-0x000000001BB68000-memory.dmp

memory/2180-13-0x000000001BB40000-0x000000001BB4E000-memory.dmp

memory/2180-12-0x0000000003000000-0x000000000300A000-memory.dmp

memory/2180-10-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

memory/2180-9-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

memory/2180-8-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

memory/2180-6-0x0000000002F90000-0x0000000002FA6000-memory.dmp

memory/2180-5-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/2180-4-0x000000001BAF0000-0x000000001BB40000-memory.dmp

memory/2180-3-0x0000000002F50000-0x0000000002F6C000-memory.dmp

C:\Users\Public\Pictures\Idle.exe

MD5 8b03d1f60bdf0b6465c0623109e7269e
SHA1 33fb1f09f53ca182e1112ed973fce8fa97e4398f
SHA256 1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf
SHA512 8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

C:\d25f591a00514bc9ba8441\RuntimeBroker.exe

MD5 b4a7ffa597431472f1196f0d244fdfa1
SHA1 9787d0f1dffca7a2d3d3a04b7b3f9cc055190039
SHA256 12a93931e6670cd16b26b8aaaf6b9c99a181ed1781cbb8af9e309bfd8a1f6d92
SHA512 3ddec53995b68b6d4f071bea31ca3403006929a5b8169f89819a9b2ecbbf30a6bd659f4d38302c2a0bd26d9c1be33ecbb1201245e57571a6a7cf75e148ed35e4

C:\Program Files\edge_BITS_4732_595216890\dllhost.exe

MD5 c56e5784a7e11766cbc57430d7685115
SHA1 ab802a3d90f6728b38d255870b9feff0e55e5ae3
SHA256 869890cc0d29ee7b63b8f2826ecd4febc9046d1b783e80512e710c5798a66224
SHA512 773a9c7cc073759044b7a29a630ea3f9d78576dfd908c04bae1f464d4db9fbda61542275b3c7bbb8c144574a91cd2bf0de897ebbd1675c60ba5714cfe8238949

C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe

MD5 3832310c7b6ed8e78cfa29000e158fb3
SHA1 acf5c18fd29dd3337a8baeabd92f4471e5435505
SHA256 06663ed3c24b80c705519ff8dea59148160984c07239df59811e63e4b92163da
SHA512 efa34c62a903db38628d62e9054a6a540e94fb719db6dd52aaae9d7b90db8792047da0b8810b57c88afd5ade4b4d18828b70a12064c0157272de0a0d49b9582c

C:\Recovery\WindowsRE\csrss.exe

MD5 2bcea9d2c346ba84574b8331bce37087
SHA1 b4c7612844243e564066fd26f04df4e5a0a480b1
SHA256 7d7f907400a3c287206073b99b545e96081232768136c9f711c58bea6b33d44c
SHA512 cb70e056815353aaef96d21beb4da2c3c100d57f2ba5c4271365b3e985e7fb590698e6e8b3976d60eae41d8fc5bf2ea2c9f5e4d34d851f540891feb79ca68a67

memory/2180-201-0x00007FFFDCC23000-0x00007FFFDCC25000-memory.dmp

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 db8f82f3d8973d32dd8701ac6e2954b5
SHA1 851e8fcd38ea62a46f44c4fa33bebca5b59be664
SHA256 c2ffcb38c5f667900d6a178bba5058d8cc888c5efa7aeadd1c8ce9de2ebaa95e
SHA512 83d2278f3b987293cab71bb5d24acd7b4ff203377a48a82c5d1fce7234f5e4c2bb785887978f3657433dd2cfe93bf44a41a212e021ae32bff9e9c94198f8ec52

memory/2180-213-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp

C:\d25f591a00514bc9ba8441\sihost.exe

MD5 53cff85048d32a94637e8115a6f122d0
SHA1 80abea3fa189da68c1639ea0f1ba58adf87b6b94
SHA256 6fae27b1af247f9bf0ddfad3125bc5913540c26b39061e57113f506a3893e28c
SHA512 31951295ad8c360232c2201bd3654f8cfc6160ea485311a47d34b796c44e24b26b448da7f89cf890aec6e0b39567408d2097e5cac2b472626efc5c48092bb09f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2wcp2y1.ewv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4936-240-0x0000024969310000-0x0000024969332000-memory.dmp

memory/2180-259-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XeGdH0U8sJ.bat

MD5 3ab5ba471170ab2e56e14119abedb58e
SHA1 f575ec5fae41649ebf8207c080817c9a3074a3bc
SHA256 bbd58dd35b621657afbf9e758c9b0f3b6744f1d39866086c3e625a8aaaa12e9a
SHA512 f0c12d2586b37660d04d97eb4a58814ac68779e922107ef4782e81f42e55f4adfef2547fbdc56b0fca7717d2952276db4026c96c494b8c3161708c44bdbdc25f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 091f20bbaff3637ace005fce1590be7b
SHA1 00d1ef232fc560231ff81adc227a8f2918235a29
SHA256 bd50b50b5e08067840cf1e6bb16f3ed0242649d826544899056db26876dec9fe
SHA512 ebc04d7de6bcbd6505c60432c6455bde985ac422cbda875ef5c1dd6ef44155ec0d43a882dd793e692d3723a257e3d12c48ac8c0dad7c21a99d446d4b3b257890

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ceb796de20c8360e1e53623d78696e8a
SHA1 52e20d1bb718b5e04290816c3c740d8f89265bcb
SHA256 cdf217f7e76215d14186a36614f8d2bd6f911869af5c12d98827ec42734ce321
SHA512 2d9f010240f49f4ea4537ece426edeccf8f6b1f2013bfb5e5e8412bc54993043e101f205ed5ca93f26d77de3cce1ab7620b7f97792df06d6c803695f9baaf869

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8e7675df15697eee65b731b90f33a5f
SHA1 8fe1308e032c5cb61b8ea50672fd650889cecdcd
SHA256 656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932
SHA512 fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 566ef902c25833fe5f7f4484509fe364
SHA1 f8ba6651e7e4c64270e95aac690ad758fa3fc7f8
SHA256 28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514
SHA512 b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f3d606f9a5f1201bfc1f01c54e842c4
SHA1 f1917e50b557b135953ecbe63e1fc1e675b541f1
SHA256 dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a
SHA512 d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1f3a4f1a0ec7141a2b9d52de694b5b94
SHA1 818521ae654b04c97a8510dd452046a18eab00a0
SHA256 a7eb5ae5bbcd9b72aa81795071ba0dc8485e6f2f942f816cb192b3db33acbac3
SHA512 d00ea8136fa8ced7733d712af781270f7046ac07c48ccdd5ab22d5a29775b98e5f3aac6b6b58f0bf103d6af1ab7b4fa43aee873f91750fd34668c0fbb2082ef4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a5d93882341ce023d4569907c3bb0def
SHA1 db0998ab671abb543a7ac78596c0b95743a9a2c8
SHA256 c3ea7d8d4ac21adbe8c93e10729367b0b7c3477e7758596609c8e25e45baaa78
SHA512 7bf5716c96d93da7d37bbedb9623c9ae2860ac7b1a0e9310cbee0962556705f8876aebdabb9820f1f1ed37e504e002f24507a23db302d0e180bb45092520cc7f

C:\Users\Admin\AppData\Local\Temp\c0c5fc13-d501-4833-9b9b-2f080c1c8aaa.vbs

MD5 dbfcce4076e8ff82286fe0d4ec14e327
SHA1 51ff3b3e7553284fc14f6f4eb52eae48bfe01223
SHA256 7474a8bc8be3589e71ef8f54095860c2d32f41caa8746a295b74ba50fb7cd60e
SHA512 65e3c682ea3e7bcf7133576566e1a52a0a715bbb40d3bb26936b26983077401cbfa8a6cfee1c7e122704cf1e054716910c1865b44a6a789c9565122ac3a8ae1e

C:\Users\Admin\AppData\Local\Temp\5a79a36d-291c-4c41-a4e1-ce73bfd5be23.vbs

MD5 22d515b4a64ce57c1c1c31a9b64e113a
SHA1 8b383c0ee29c26de3b9783ef85f48e06c92427a6
SHA256 59e60ca1f17345edc462be9e4429bf29563f87730fc2fa37f22d3725c0e4f17c
SHA512 5d51c57e787ec356a3dd4647595e500b74637b0f56388b898dffa81ee8c9d7e5f988df037c3cd62ff3d5f474d3a5bd2c24e51143fdfb138b191260fbe73692d4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 3690a1c3b695227a38625dcf27bd6dac
SHA1 c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA256 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA512 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

C:\Users\Admin\AppData\Local\Temp\239e4973-5b62-442b-9de7-006ed6a8a33a.vbs

MD5 a1811be40e8ec17443497f144ecdf2c6
SHA1 729ed8edbe42d15d598d394181b848157c7031a0
SHA256 39229f21fb68c998531270104d905cf456bb74b97bd6045de7df102345de25c1
SHA512 c0e327dee8ec4a11c8c94cbadab52b110867ee62a15003f3adc4fa50182b27660e6cffddbce703d688ed5536ee1ec078334598c05a1f7011799d61eba2604147

C:\Users\Admin\AppData\Local\Temp\86e9093d-cfd8-4f3c-89b1-c4cc91329d80.vbs

MD5 3b5c4d0fb412836761cf85d0a31fc9c3
SHA1 b6c452f3e8922e390ed1089b2963d9ed57dc6134
SHA256 7d49609c68c3b3071f6ade1f4735464a18aece8bca9da0531067c38f32df8b14
SHA512 8d2c9f7468c083015a973e9cc1d4a394d52e76418875617b4e77d03bfdb06bdc38cf23e6d544cdb69767782a9b8add1fe7c1dc6a7d61160d6dcd628a554ed709

C:\Users\Admin\AppData\Local\Temp\3ba6a0cf-f68f-41a4-9e7a-e7243952869a.vbs

MD5 ba2b74eb21d71fc714c5db526384bd2b
SHA1 c15c61e3392989940572cd4cfed075480e04bcd5
SHA256 208ea1e7031e389f37d956ed08da1ac3892ed4b2c72bbec594ae9cc8aee3c073
SHA512 18f4cc2e4d3ba7ab18bc78f177f1a7cf747d81238c822f273c8778d037cfcd0c8ad0550f9827e434fbc5897d5dc6a8637c3bb0c06387599cee22a2e1fff86775

C:\Users\Admin\AppData\Local\Temp\3ec648c8-1a84-4dd5-ad79-9f0512d16478.vbs

MD5 388a7990fcb69ce25e1dc4ea7d2b3ed0
SHA1 0eb5120858f8a55f8229c7aa60d051fbdceefdde
SHA256 24c84a11b9f08da8311f69e17175d22ba59048614796a19e115a7d530cd23bdb
SHA512 f3d217032edf77e17a1ceedd007f5d7edb324739d584f415733fa3ad37bac0481ea1a4b004d9c6173bc7c3a1d73d068ab552afb02e4a904685bfa9b852c2e646

C:\Users\Admin\AppData\Local\Temp\e263bd33ce825262c0c77aaee9ec2b40e5eedeee.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\a4c3d2b5-daef-4164-abe0-b84a7d8560d3.vbs

MD5 e8779d2ec891514a7300384857fc15a6
SHA1 fa4eaf918686d669f600f30d982dbb4bc744253f
SHA256 217f80116979cbca906d775772faf19dd6aa0271131a2ffeb704f67e8ae91b06
SHA512 66a8239b529c86d5a8f4822af6746fdfd9cbaa53574a4498ae69a0e758c32e8752afc398d940a9e1f0b987a8d0162584fbc06d19a31fa511cdfa7c95027cbb2a

C:\Users\Admin\AppData\Local\Temp\821b7e38-7e51-4bcc-a17e-12564ee68448.vbs

MD5 218a452d57745303612c32c51065f137
SHA1 a25e3bdd6e65417d0d188957bf46e825661d30e1
SHA256 345b8d81188a1e6b257ab72c16563d026ae2b388a334b2098f2d915151d967b7
SHA512 9c1ce6da80eae453db35d7942b1b2a243a9d5a1dfe06dfc700b9db138d5b21692859d450875dac9f9b5217cb891e6a8efc49d522a986dd73346baffd1b124861

C:\Users\Admin\AppData\Local\Temp\aba768da-aa2e-42b0-ba71-4d52689d6e04.vbs

MD5 18499dad257230cc7a24c8008c3ea79c
SHA1 cd4a56ee3f8d847a2426191ea97956c351611477
SHA256 81a97f61c3cb4cef2091a36dd15cc72d4dd95f21cfdecdeb3629b4ae486f299f
SHA512 5b1a850f7dff222c5468d134ce470899ccff9bcdfd3c5a37cb3c323a188bb31fe695e87c38003ccd9529141c0375ed94f11858d3a31408e04c87ca61177c4b62

C:\Users\Admin\AppData\Local\Temp\358be680-2edf-4b05-9c24-bcc49573f997.vbs

MD5 a4a31e821e12cecde8acfeec7e8a7a97
SHA1 cf52a699f95fc8e2a5b99da174f096f3e5e6778b
SHA256 2977946777895e90ba48a573358899eeea59b88a3f7196053c5ba1013e05404a
SHA512 3885e7e0d828d8ba4f9b96595a1e4d1bbd624ab8008870d31678fc0412f61ebb1ed9657eee35056623b3bb1bd65626bddb88700a8ed800f6e53d143812d090e0

C:\Users\Admin\AppData\Local\Temp\6333a880-14b3-4f87-8e0c-51f77801efe1.vbs

MD5 0eed7707b6934c5b19f065ab098b2ea7
SHA1 f9fb519b395d2184bf979206ca38cae5a45ef73d
SHA256 e2c219ed32e0a3aa7780d434f23cff2ca0cd7c2b54f02cb3b26b078a476c7701
SHA512 5b4525a2afc317432263709fbfc7267e441ef4cd441ea8a659acb4e225b78b80c04f3ac31cc12ff4be28eb6c5f9c1608f33c05ed6692813cf0bf98033038ac85

C:\Users\Admin\AppData\Local\Temp\bf4002af-6d93-4c21-97ce-fba11d964f3b.vbs

MD5 135190d89c524caa61af63b624751b4c
SHA1 7bdbca909bee9b5320d818c4a03ecb5f3c51a69f
SHA256 ec7707d0ca57de6a43215a224c5ef4b9606196952b1dfb5877b335f57ad87d1f
SHA512 3a3aa29a284e9f6128c5ec29671d5940b834978017d35347b2d7f982a9ec517ecf01681224101f2265539b0d37748df7fb289a48b6e6c5df3f901a1aac129f0f

Analysis: behavioral28

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe

"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp

Files

memory/100-0-0x00007FF91F2A3000-0x00007FF91F2A5000-memory.dmp

memory/100-1-0x00000000008D0000-0x0000000000BF4000-memory.dmp

memory/100-2-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp

memory/5720-10-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp

memory/100-9-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp

memory/5720-11-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 35110eedb3518d1905b88025bf11b77d
SHA1 c39e96cc0dcb14065984c3d3fbff331070e37feb
SHA256 1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd
SHA512 08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2

memory/5720-12-0x000000001B1F0000-0x000000001B240000-memory.dmp

memory/5720-13-0x000000001BA30000-0x000000001BAE2000-memory.dmp

memory/5720-14-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 440 set thread context of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2012 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2012 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 440 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe

"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"

Network

Country Destination Domain Proto
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 213.183.58.19:4000 tcp

Files

memory/2012-0-0x0000000074902000-0x0000000074903000-memory.dmp

memory/2012-1-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/2012-2-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/2012-4-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/2012-3-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/2012-17-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/2012-16-0x0000000074902000-0x0000000074903000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

MD5 3dde06982003b0e533a684df3964d63e
SHA1 13247f80d6a518716b9f121591d1eeea814fc680
SHA256 1e9f626bab720bb552f865e01a7f3b33edb848047fdcf0404d9864c7bc9088bd
SHA512 3aafe2560ba495366749738aea8e75ee415f50ef69236a2b10086711a214fa68bdc963ffec4d304dd9fc6fd6a1272451023e5862aaa7f7ef13b36242425e10af

memory/2012-28-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/440-30-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/440-29-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/440-32-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/440-31-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/3408-36-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3408-33-0x0000000000400000-0x0000000000417000-memory.dmp

memory/440-44-0x0000000074900000-0x0000000074EB1000-memory.dmp

memory/3408-43-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3408-42-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3408-41-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3408-38-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3408-47-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\fr-FR\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\dllhost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX6F24.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX6F25.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX7B00.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\RCX6A40.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\RCX6A41.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\dllhost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\RCX7B01.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WScript.exe
PID 2280 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WScript.exe
PID 2280 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WScript.exe
PID 2280 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 2280 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 2280 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 1740 wrote to memory of 2200 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1740 wrote to memory of 2200 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1740 wrote to memory of 2200 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1740 wrote to memory of 1928 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1740 wrote to memory of 1928 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1740 wrote to memory of 1928 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 2200 wrote to memory of 1512 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 2200 wrote to memory of 1512 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 2200 wrote to memory of 1512 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 1512 wrote to memory of 1764 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 1764 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 1764 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 2428 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 2428 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1512 wrote to memory of 2428 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 1764 wrote to memory of 3036 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 1764 wrote to memory of 3036 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 1764 wrote to memory of 3036 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
PID 3036 wrote to memory of 3048 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 3036 wrote to memory of 3048 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 3036 wrote to memory of 3048 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 3036 wrote to memory of 2420 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 3036 wrote to memory of 2420 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 3036 wrote to memory of 2420 N/A C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe C:\Windows\System32\WScript.exe
PID 3048 wrote to memory of 2216 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe

"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a0" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a0" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'

C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02e82330-10e4-4d69-9ac7-ae20e57401a6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\000a36eb-8f05-429d-855f-89b30d664d3d.vbs"

C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ad17da4-5d28-4cd3-a423-197244fd6b37.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84943063-e335-42af-b71f-b023053a5e6b.vbs"

C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b4bf8ee-f19c-4b34-b84f-556cf4df2999.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f95aca8-b736-4c7b-86e9-e0f13a37da05.vbs"

C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e482dfe-79c2-45b2-844d-0acd5076dd8a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e8eb5e-cd31-40f9-81bc-38767d6b7880.vbs"

C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\071b134e-531d-47df-b1b7-f33365a13a85.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc235d5d-142a-4fc2-a493-2f9f613403bc.vbs"

C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b3cfbd5-f0bf-4992-ad0e-9d99381e32ea.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773797a4-d74c-4eff-bdd0-ddc240bd6cca.vbs"

C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aa2486c-af8f-4add-bc44-5514dd129b38.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e97fc3e9-eb6c-4165-a7b0-564e1470c976.vbs"

C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe

"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35759043-3256-4dbb-a295-53a22ceb79d6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95a67844-932d-4545-8d20-5741a0100290.vbs"

Network

Country Destination Domain Proto
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp

Files

memory/2280-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

memory/2280-1-0x0000000000F80000-0x000000000116A000-memory.dmp

memory/2280-2-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

memory/2280-3-0x0000000000530000-0x000000000054C000-memory.dmp

memory/2280-7-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

memory/2280-6-0x0000000000560000-0x0000000000576000-memory.dmp

memory/2280-5-0x0000000000550000-0x0000000000560000-memory.dmp

memory/2280-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2280-12-0x0000000000C50000-0x0000000000C62000-memory.dmp

memory/2280-10-0x0000000000C40000-0x0000000000C48000-memory.dmp

memory/2280-9-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/2280-13-0x0000000000E00000-0x0000000000E0C000-memory.dmp

memory/2280-15-0x000000001AE30000-0x000000001AE3E000-memory.dmp

memory/2280-18-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

memory/2280-17-0x000000001AE50000-0x000000001AE5C000-memory.dmp

memory/2280-16-0x000000001AE40000-0x000000001AE48000-memory.dmp

memory/2280-14-0x000000001AE20000-0x000000001AE2A000-memory.dmp

memory/2280-8-0x000000001ADD0000-0x000000001AE26000-memory.dmp

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe

MD5 192f0f1221e376146e725a4d23ee69a0
SHA1 9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff
SHA256 019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d
SHA512 daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe

MD5 1d34a4062408c41685f98d3552a8ac2d
SHA1 3fcc24ee7da60f71b563cf360a395178274d83fe
SHA256 fde44434ca762a577c4f2840b3029eed88e91c41ec6ef2ae28473a6606035402
SHA512 50b75e117397301f3acc1ae2f362cec75d061c45789011c57e0b3e2a8bbd4ce673f5bc081df3d64d589dbfb7ab95a297dd1a04804f39adc2c8b579f3e56018fa

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe

MD5 c525e1d9ff51e646742e7c6403469529
SHA1 28e5050a7657af750630854b5aced9c905ab7a2c
SHA256 ba26c630cffe91736feb9c17258770bc9416828b8a3fd3feb30f2016aba1d6e1
SHA512 9d62218b92b454620f654d305cddc86c04c978c60eb512735b56556928e1cacc270c7cea0065a09eee4a3e72a437f66c1c14d3f29788a38369d966803f80e5db

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe

MD5 4082314399ef9432f746d09ddeba93bd
SHA1 4365fa6112e0e6b5fb3b7c6ab1c08b79c8fa721b
SHA256 ef58eeb4cf44148e62370990d952b04a8749f27bf1338a6cae4e91ea99049040
SHA512 d4c378d7500dd5bea61766f89cc699113cffdf69ad7541889c76be267e04da42eb7e9ba411b8be385ea2d1d74fa3c3468bfbe91f95b94751494810752cbb574d

memory/1736-196-0x0000000002910000-0x0000000002918000-memory.dmp

memory/1740-195-0x0000000000980000-0x0000000000B6A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bb00fa18531eb39ea0f379e3ac0b5713
SHA1 35806a59a3cfb75a8efa321b7d077e5702b08e44
SHA256 54b5b1d9a6fd1db968e4792e52059e8a3cb682e99a0a467d0e0b3cd4dd507ec3
SHA512 654fdbc7d0d6aed33a075fe422362f198d43735da004245bdf80591545dbea9d830bb092014c14cf8b7d84151a17e8bd92c15de216747611b431e41d84d713ef

memory/2128-194-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2280-234-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

memory/1740-239-0x0000000000560000-0x0000000000572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\000a36eb-8f05-429d-855f-89b30d664d3d.vbs

MD5 b76eb07a43724a1abd0f255b4a18ae54
SHA1 d432e154aaed126f85cbb0f9a6fb9e86ea6690b8
SHA256 0dc17a8271ff4e59c2b9f03b0c92727cbf40428628b7779e3a9c2018dee2bd38
SHA512 a77412116a45e3498d0db7f008f7220777844b155fff6ebd946c07f155a553013c7b58e510cfbf9b2d4a17d565c94108e722ccbb5b47df09bdb91c6b3880629d

C:\Users\Admin\AppData\Local\Temp\02e82330-10e4-4d69-9ac7-ae20e57401a6.vbs

MD5 0d0d3de3358243b3f86178f207867bd4
SHA1 fad78c801830da5f828fecee992279f1186a0a60
SHA256 63dc8e286131d64c43bb997a1f6285eaca66946cf31a213ea6166cfd1b53337a
SHA512 343c795fd3260ae434f80ac894c32139d25ab043967a0f6369a2481e1ec72f3647d28151ea762e6a0950eb6630fa8c9b592bebf3bcada62adb1ffd0925d85193

memory/1512-250-0x0000000000BF0000-0x0000000000DDA000-memory.dmp

memory/1512-251-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ad17da4-5d28-4cd3-a423-197244fd6b37.vbs

MD5 b6cc3157632624ad3ec1b198aea0db7d
SHA1 44ca5d291f8ad3e5367bc97deb3ed05b30101deb
SHA256 714e73935e73cc28c6ee37614b3c35c64d534b97336a88849e88f12a29e1af09
SHA512 a80f9c7664e9e11dabfd07a10bda576f9dbb6c4aa6bd2e405517d8c0fb8efbf105cf8622aefe42b9238f9df11189e1e1c9d6fc9016cf4617b79088389aa192ab

memory/3036-263-0x0000000000250000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0b4bf8ee-f19c-4b34-b84f-556cf4df2999.vbs

MD5 4d27bcab7652be26e04e6c20efba3b06
SHA1 befd13c8a1e6bef14cba0c5132d55a2061324700
SHA256 ff0a44b592cfa886108b18a0bd313baa2af59a65909bb855d864fab6edefe7db
SHA512 ad39822d324cc645db71b92af81c770dd86e56f2b8d900f058fcf68e0cd86ba9a07369d48b2e6876865f9a9f6a7ce70d8831e533400fd994b6fe798f0544f374

memory/2216-275-0x0000000001040000-0x000000000122A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e482dfe-79c2-45b2-844d-0acd5076dd8a.vbs

MD5 6e9b538a9e02c38aa2477eb65f3b2720
SHA1 a0620edf4f3a4be162ffde2d998d690450119e52
SHA256 49b595e6a4633b09c8d6fcfa079807333f98ab4ed1a8c08fa3f6f73b28facd23
SHA512 102dbe7038494a4979bbc51c1a32eb35363315c69280e521e2b3805e832929f8b2ab47cdecf0ef6c6dd8babbc05070c7a57075e9f8bb46f9068b0d2fefe7680d

C:\Users\Admin\AppData\Local\Temp\071b134e-531d-47df-b1b7-f33365a13a85.vbs

MD5 1c1fb7e7eaff7a849c91a681e172598f
SHA1 9c8645b6bf491c9da40f4072758fedcc674317f7
SHA256 815bee69e3790c16eee1f79cd0aebfd1935d1d80248664dd0b0d45672719675c
SHA512 a4d37cbafef139cad93add21af4ebe0444b976de41ee498c4ed384627f4d1ce0c8bbe5548318a38ba016edf2456f8b1431d2e1df4507dff5cd0fc1b717dd1569

memory/1748-298-0x0000000001190000-0x000000000137A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3b3cfbd5-f0bf-4992-ad0e-9d99381e32ea.vbs

MD5 ad6208c1c901a1458291f59bc3a660d7
SHA1 77fcbabbc38d067960f2b8dac95c6c521b34ceb3
SHA256 6fc1848997af117e009920bf33929ef8f2ea0e614c83f1f283d3ab2c0b6db012
SHA512 08b955647310ce25b8d14f839df80244d21c3eb35c147596dd2bf6cf71691ff0c564eafe2ac47ab72edb118193fb6b404709c6c5b07f502c9c7ce55d0547b58a

memory/2752-310-0x0000000001250000-0x000000000143A000-memory.dmp

memory/2752-311-0x0000000001240000-0x0000000001252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9aa2486c-af8f-4add-bc44-5514dd129b38.vbs

MD5 0b0749de7c4301b78b8350e9251fa22e
SHA1 476e3228368a092a257adac380741417d2bb0d94
SHA256 afbb0ac0be3b7ae469ef2b2478b3357dd689aec71f913e4f3fe1ba76a2eb67fc
SHA512 be02fb5cc0623819cfe1e73363a6539071407c89e9a1a33542a1109a77e7cae665e0322d188b10fd9074dbdcdf2dff97b525736db8b6961a7c413a23a7908e49

C:\Users\Admin\AppData\Local\Temp\35759043-3256-4dbb-a295-53a22ceb79d6.vbs

MD5 c2a150fb928ca9efc370146e13a49ff0
SHA1 cb3b5b1a2c1641466827837f0543c98a52b51146
SHA256 e279e09607455b6fe7e5210b368a2cbb94f485ca341c4622facd4e86701ccb08
SHA512 05f954315dc988ec32e4559a5585ccb7c9559d897b5fef47ae294c40dfec61b88fb07a48789a2289f751fc0d051ff948dff64ff17a47cbe4ef3d02f35eafa8da

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20241010-en

Max time kernel

16s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 108 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 108 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 108 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe

"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp

Files

memory/108-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

memory/108-1-0x0000000001020000-0x0000000001060000-memory.dmp

memory/108-2-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

memory/2424-7-0x000007FEEDE3E000-0x000007FEEDE3F000-memory.dmp

memory/2424-8-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

memory/2424-9-0x0000000002560000-0x0000000002568000-memory.dmp

memory/2424-10-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

memory/2424-11-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

memory/2424-13-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

memory/2424-12-0x00000000026AB000-0x0000000002712000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e96770687ffc3c0dce62ec3838e9e016
SHA1 da5d6fd725ecf9f958a67ab6259e75983814b24d
SHA256 ff70c9dc86025288062a5a7a71929ebae088b7c4c00206a45d5a2bf6489dc903
SHA512 05d157644c26f408901fec012a89e911dde0d0987dbb432061a2f6b1480504ffd4403482b320312513eb3d87ce04632ef9a0db746e4807f1d5cb707b984d3408

memory/2888-19-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/2888-20-0x0000000002490000-0x0000000002498000-memory.dmp

memory/108-21-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

memory/108-22-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

memory/2588-34-0x0000000001D70000-0x0000000001D78000-memory.dmp

memory/108-38-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20241010-en

Max time kernel

151s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2620 set thread context of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 set thread context of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2808 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2808 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2808 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2620 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2620 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2620 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2620 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2620 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2620 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2620 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2620 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2620 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe

"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.192.18.101:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp

Files

memory/2808-0-0x0000000074441000-0x0000000074442000-memory.dmp

memory/2808-1-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2808-2-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2808-12-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2808-13-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2808-25-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2808-26-0x0000000074440000-0x00000000749EB000-memory.dmp

C:\Users\Admin\AppData\Roaming\app.exe

MD5 97863757bcbb19ac4b85fdee34b532c2
SHA1 546673271b915dec79834f35767c7045b5aaf6a2
SHA256 05186a0de5bb7938a8b1f81f215abcec797e51d48f92979b1ae5ab57d1683ec6
SHA512 419ab1c94e00e5d278d86513d7d47c61b3b7ee7647bf4bad1e9a5baa34c7730f57210dda360ed202de7644e52ac088409592c22f369ce0aad5e624a1d0d9df77

memory/2620-34-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2808-33-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2620-35-0x0000000074440000-0x00000000749EB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e6c0b679f03b895ccda4c16b8656cfe
SHA1 b72a2f6e91da319a7c9970dfcef142129464414b
SHA256 16d04037d5b8e15ada46b2cc936aacb94a6739732c36ce390f0a4f2dcd456270
SHA512 a49319824c6c3e969cf25be963764363dbad6ca4da56baafb8867784f5c701a16f383aefedd6aa543b35979d2b5c9ae4e409e801b65a643bbb3f26b9aae8eaf1

C:\Users\Admin\AppData\Local\Temp\Cab3B0D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2620-44-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2620-45-0x0000000074440000-0x00000000749EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar4A3B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Roaming\My.RawFile.exe

MD5 5a733ef0de5e31e2e4b4abb016c0f251
SHA1 28644040a6deac35c20fa931b5d003a97293363e
SHA256 a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA512 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

memory/2620-67-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2932-79-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2932-78-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2932-77-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2932-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2932-74-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2932-72-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2932-70-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2932-68-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2620-92-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2620-95-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2620-96-0x0000000074440000-0x00000000749EB000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\app.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4860 set thread context of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 set thread context of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5724 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 5724 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 5724 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 4860 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 4860 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 4860 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 4860 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 4860 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 4860 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 4860 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 4860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe

"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5724-0-0x0000000074BA2000-0x0000000074BA3000-memory.dmp

memory/5724-1-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/5724-2-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/5724-3-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/5724-4-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/5724-16-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/5724-17-0x0000000074BA2000-0x0000000074BA3000-memory.dmp

memory/5724-18-0x0000000074BA0000-0x0000000075151000-memory.dmp

C:\Users\Admin\AppData\Roaming\app.exe

MD5 c5de36531a3c4a3a1d9098ac862e5214
SHA1 648231e5533d7ce188ff90a9c851fd2f22a73930
SHA256 20083eeac2dc9fbeadca54a8a1f74c44336baacdd1d7ccb06836ec1946cd9857
SHA512 2beb218cac41a38f912858d60398b1597c705942c7aa33f98aff4cdbc1788a5a915eeb543ce775f39d8e5847ba829bb48779431ff6a69b092df445e5492504e5

memory/5724-29-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4860-30-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4860-31-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4860-33-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4860-32-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4712-35-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4712-36-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4860-38-0x0000000074BA0000-0x0000000075151000-memory.dmp

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

MD5 5a733ef0de5e31e2e4b4abb016c0f251
SHA1 28644040a6deac35c20fa931b5d003a97293363e
SHA256 a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA512 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

memory/3660-52-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log

MD5 b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1 ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA256 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA512 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

memory/4860-57-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4860-60-0x0000000074BA0000-0x0000000075151000-memory.dmp

memory/4712-61-0x0000000074BA0000-0x0000000075151000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20240903-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX9687.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\RCX9E98.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\RCX9E99.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX9995.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX9A03.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\f11cf609cd2375 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Skins\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\56085415360792 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX96F5.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ja-JP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Windows\ja-JP\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Windows\ja-JP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\cmd.exe
PID 1924 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\cmd.exe
PID 1924 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\cmd.exe
PID 1716 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1716 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1716 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1716 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
PID 1716 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
PID 1716 wrote to memory of 2896 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
PID 2896 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\cmd.exe
PID 1476 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1476 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1476 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1476 wrote to memory of 756 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
PID 1476 wrote to memory of 756 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
PID 1476 wrote to memory of 756 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
PID 756 wrote to memory of 1308 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe C:\Windows\System32\WScript.exe
PID 756 wrote to memory of 1308 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe C:\Windows\System32\WScript.exe
PID 756 wrote to memory of 1308 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe C:\Windows\System32\WScript.exe
PID 756 wrote to memory of 1000 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\audiodg.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbdqqO4wF7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rhJyFUC1sI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c80d33-fc82-49f6-9887-6194c9b9e4c9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b0b9f79-e92d-461e-ba9d-035c6ade5369.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c00bb0f4-042f-4d3e-84f5-7199ba61a020.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39935f99-b55e-4815-a8a7-8541c3b8616e.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd1e594-cedb-4e66-881e-35b3b8dceec7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\663cd161-27d6-4f00-b318-bcbaaf2d742d.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdc0d54-74b5-4bf0-a765-2c7ef67e8c19.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24460d33-9f14-4032-a003-e0efeb83429f.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\514d493e-a860-4192-984f-dc65d6893eb9.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56a8081e-fb2c-4086-ba28-50097651a504.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48e748f3-a566-4a80-89e5-fd5c2e913cba.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c27f2b-b45b-40d4-9793-b432521ec358.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14bf4083-7c70-4ede-b737-48785590ba59.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\513c39f7-de23-4ef3-af25-e97130d2b705.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02916f4a-e6af-4d0e-b264-909a38163ccf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43ebebfc-f677-4577-a210-efaeec9cf7f8.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8593642-4ae0-4d7b-a635-55ead738bac7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dbfa688-7d89-49e9-9a8c-a72885053d3d.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64bd468e-b006-4891-8c9e-ed6fe8762c66.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a3c08a6-4162-4791-93b6-48e4dd3f605e.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4182c578-166e-4201-bf9d-5ec13bf3a395.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20a87400-8df2-4ca6-b6d5-d0dbe1d1144b.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e533bebb-91a0-40e9-ba70-ab74737a4659.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ece93cd-1e7b-4d05-91de-4312fb22e31b.vbs"

Network

Country Destination Domain Proto
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp

Files

memory/1924-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

memory/1924-1-0x0000000000270000-0x0000000000412000-memory.dmp

memory/1924-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

memory/1924-3-0x0000000000240000-0x000000000025C000-memory.dmp

memory/1924-4-0x0000000000260000-0x0000000000270000-memory.dmp

memory/1924-5-0x00000000005A0000-0x00000000005B6000-memory.dmp

memory/1924-7-0x00000000005F0000-0x0000000000600000-memory.dmp

memory/1924-6-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/1924-8-0x00000000005D0000-0x00000000005D8000-memory.dmp

memory/1924-9-0x00000000005E0000-0x00000000005EC000-memory.dmp

memory/1924-10-0x0000000000790000-0x000000000079C000-memory.dmp

memory/1924-11-0x00000000007A0000-0x00000000007AA000-memory.dmp

memory/1924-12-0x0000000002150000-0x000000000215E000-memory.dmp

memory/1924-13-0x0000000002160000-0x0000000002168000-memory.dmp

memory/1924-14-0x0000000002170000-0x0000000002178000-memory.dmp

memory/1924-15-0x0000000002180000-0x000000000218A000-memory.dmp

memory/1924-16-0x0000000002190000-0x000000000219C000-memory.dmp

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe

MD5 8b03d1f60bdf0b6465c0623109e7269e
SHA1 33fb1f09f53ca182e1112ed973fce8fa97e4398f
SHA256 1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf
SHA512 8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

C:\Program Files (x86)\Windows Portable Devices\csrss.exe

MD5 0b73d95537d4effd03cef8ff0335ee4e
SHA1 97c6f7d160c7b0b22e4463a4c0ad9a519d003d8a
SHA256 7f8e84fccd955d5e01646ca11ecc7a8b70f6985e36e1df0ece02f37c3d0b81e9
SHA512 ede3722171595d37bc14a9e484471dbfae21a4809e5149cb2b63936ad6867274c26efdbf290146e6a9e37609f8ff659fc5761aa84b32a5c79175f7c8fd019f23

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe

MD5 73270f0623b4e563f303814af8a35cdf
SHA1 99d2ec5a6d2796e6e82ae20a2bbce30efd2eec85
SHA256 82cfd06a9b9ac15a3851ef57c628c02add7f85ec9fdffcb7cf5618fef87ea010
SHA512 c101b629eaba445c28830cd08abae82b21b629aec15894861077f9e2369324f5c7c84f38692555764ffd4914ffccde46ef7419346003924013d5a44627565b17

C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe

MD5 6be01e880b49b6468d97576d45dab300
SHA1 38de2fdc20cc9c0537a778a1c94c1018d7f1203e
SHA256 41ad555e28f385deade32c635e35e0d7fb12698bd6cdac4e65af5940376cee60
SHA512 021beb46a588e0fc058e6f22a6fe2dd03088b42ec89b615611093c03bea538fc486dca0ed6f4f3db499bf69cd0306a49648ac4022323922526bd61133848a2a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d638a8aa8e6ca4ba671124c950a1d0a0
SHA1 ab787acb4582cbeca2b812df6e4ca95f9aa4d633
SHA256 219f2c0b1fc00a6ad4dc91515b21a5c1474ed624b8ee3f9a777917604b0081ee
SHA512 79eaec864181cfb32bdcfe91d6fcdec68fd50e513abd6bb6cac586cc73bc152a6b3c1f54f578d1358c6532198876c561a13ac5ab816e7b00acdd2d0d065ba417

memory/1924-117-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

memory/1596-128-0x00000000022B0000-0x00000000022B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bbdqqO4wF7.bat

MD5 7e268009943c9f90f1ad458e64bd4145
SHA1 0d62cc0b9b2a8ff27c75ee3c987eeac139bb3dcd
SHA256 62dec3c112c630ee367c57a19d8a9f7ccead079a5633c9f8d5178cfe09abedd2
SHA512 ded485da3f5b08ed9e995e0a86dd5476fe383cce982b8842ed205d90a6549fc5d28a0b3991820decfd69a4389665183d85a9be09a0dc45e73ed0f000026c220f

memory/1596-110-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2896-144-0x0000000000C70000-0x0000000000E12000-memory.dmp

memory/2416-179-0x000000001B600000-0x000000001B8E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rhJyFUC1sI.bat

MD5 09f0ae9cb76a3e28f8732870f059cc96
SHA1 e815d34cb854c821ea430fe5a539658c2f7a5854
SHA256 aa19ae8aefbeb092fa3b2c05b6ce976e4965684c56ccc977403a1203322abe94
SHA512 c258a53859a16151f581a096fd68e2bb7688b47b825c6acfea9dc496db7cca703838773febbe5684265d0073e38e59ce321fb9df32bad68060263fc754f0359b

memory/2416-184-0x0000000001E00000-0x0000000001E08000-memory.dmp

memory/756-213-0x0000000000A90000-0x0000000000C32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49c80d33-fc82-49f6-9887-6194c9b9e4c9.vbs

MD5 01b243ef9b7e78fca2c16f7652a45f82
SHA1 38771516d9b0567ca3fe9b77d41278d5ab102103
SHA256 4a6836a669635fed9f36b345c19723e370c16d6b2fc906c5c31d845c70640ed1
SHA512 3e15cffa6331f63b49ad181b51c6df825cde51ffe784216d951f8fc8765a41e444476ed38c88c9f41fe368761b993c7f770cf6de74a92fefed142f21d67a8364

C:\Users\Admin\AppData\Local\Temp\6b0b9f79-e92d-461e-ba9d-035c6ade5369.vbs

MD5 427c74111837ab25ebc3e957b7de878a
SHA1 d802d9fdc0d1956f9de4f52138ccb34f4bbccaea
SHA256 b523a1f332255b2ec005b9c5afe4fa1eddd963edcfa9c2fd0be439c9aca428ca
SHA512 fd5bca024eb79c51b6b7a90335e1e7672dcc5ac7da7a862e7a3bc25036b0e31d1feb82d534b4b2cbca04d31752875e43141624f32947c75038512a1ba4a90202

C:\Users\Admin\AppData\Local\Temp\c00bb0f4-042f-4d3e-84f5-7199ba61a020.vbs

MD5 6ddc8602de136cfa5a4ce2d411e665ec
SHA1 a67108d2328754a5b1db9c53af3fb2f218a24fe8
SHA256 f71e4b31c347ea22ac7cf66ade9603b2be991244efe4407c9e544bb4c6ce8cf8
SHA512 193111e66532ffd1bdc568918b9aad2d1956f9f3987d550661fd1747ff19fefda119cfdc1ae12752401489d75874b9345bdf493e7046e297a92d3cbd1bb029e2

memory/1508-235-0x0000000001100000-0x00000000012A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3fd1e594-cedb-4e66-881e-35b3b8dceec7.vbs

MD5 3cb9ceab802c53b354a7d6a4749b7674
SHA1 3d4a8a415e3b524dfd4ed851314f16566eccb329
SHA256 69d170e27796c7396e64c8164070246d0b5b4833c415153388315e06738a47f6
SHA512 fbf13cd345096cc33e57e48e5a551b88ab761e08db9a13fe52bb78ee936c6ec1e409b0a9a476c962c830842ba3abda15cb4a2fd36c224268e9626e11556f35c6

memory/1644-247-0x00000000000A0000-0x0000000000242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bcdc0d54-74b5-4bf0-a765-2c7ef67e8c19.vbs

MD5 29ba92d387d4f243248b004cf0857f40
SHA1 84796307761cce50e6fc60aab287bc620b87ae6b
SHA256 4bbe1433b54e1f85cac6f37a8bd378086a3e668f02279a66281e60d693c9e491
SHA512 58a8998f0926c06b0efeca187ff8288c9822356658d4b2d62c278e85d9d795d56cdbb9e43da23f71ed7669d24c8b449a1620617d34e7292a9d86e21f9e7e5d29

memory/1596-259-0x00000000010C0000-0x0000000001262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\514d493e-a860-4192-984f-dc65d6893eb9.vbs

MD5 40f0984d0ded3b409f55488edb51475c
SHA1 bfcdab74e6b53411c3f75c5b7b0f6b14e5082b96
SHA256 6605dae4da5e4bb3ec6d69a1f635b32b9c3cf192791a60338c1efd1338474d3d
SHA512 1a37ddd6bb39e5dc12c59c885f93801503a274fc0609ada578ca01de400357849644d0bc81555fbdc0817cbb26519503bbd52eec7fe72729d7a433434697c67c

memory/2944-271-0x00000000001F0000-0x0000000000392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48e748f3-a566-4a80-89e5-fd5c2e913cba.vbs

MD5 37ce81857a22af9a1ac4599a4e8b6357
SHA1 c14de35236e37690db1c5be77307bfc63249da80
SHA256 bce354d6c030451f580193bb07261448cd94831c549861ea37c2f6e9606288ef
SHA512 59d14d71c51dd1f948e7ff827e22fb4d1ade8c5d26ef355f64762eb6d1d77525cff4b1d12bc1fca0cae8c37c5e460f7cf679015ce81b5eb1d8c336165c215612

memory/1892-283-0x0000000000AC0000-0x0000000000C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14bf4083-7c70-4ede-b737-48785590ba59.vbs

MD5 56df3f3f5671dbcbe51c663d33abddc0
SHA1 284c056228cfd33e32597b232104d110d7370a5b
SHA256 3e64a8de9257224e62ebff3b34db31892cea3e9ac2effa39f391dda378752750
SHA512 40d95115dba215c551dc8eda0603e3849a866013c67ed41b75c36bffb967e68eda8a62d92dd5b9b88e66e001838da772a3b00e85029bfbfc5c87480acf6adb0d

C:\Users\Admin\AppData\Local\Temp\02916f4a-e6af-4d0e-b264-909a38163ccf.vbs

MD5 c2d423d0db9ca53bac8a5054c82a0b7b
SHA1 2e6b5a9ca00bd03d004c9b093ec94fad83093b37
SHA256 f4a133f2af0cf84301e468638a926fdddf5110f4fca12974abfea44bddfa22b9
SHA512 cd5b0e4d8c168aa983a36c4cb477f36b1c1753a89094c1f8bb1fe4ed352459fcc14c18dc552be98c449193d452c31af809f0c010634fc0210d874067b956c8ff

memory/1480-306-0x00000000002A0000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b8593642-4ae0-4d7b-a635-55ead738bac7.vbs

MD5 2816adc772b71371a6192a942146c33c
SHA1 ae5bfc395d8bd5a2e74fec628b43a4013a5b21b6
SHA256 6ba7f65c9eaf991e194def1860ac3c77f9c27b30c02482bc7c771840beb95a9f
SHA512 bf9452f406a88d8bd27c4f4a22f624eaaac65dbb794f3f480c0068abf641a307e33462448c776fb68128335aece3f63558a07b6e0fff0053180289e5d0e0f56d

memory/1584-318-0x0000000000910000-0x0000000000AB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64bd468e-b006-4891-8c9e-ed6fe8762c66.vbs

MD5 ab98b23fb4347d31512b21ae36d01342
SHA1 c80f267206d2638d51c5aa56443c999d3b581a99
SHA256 a6eea52c38284d8635762529ad038c5fd43d413f62421289b47d2765c5b88f2e
SHA512 771261f8449897ea25255f981f4994668469a153c14ae965d056ef322174de274703dee5d1733cd322194dbf60039485709721c869266b9a88a94841e899709d

memory/1160-330-0x0000000000FE0000-0x0000000001182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4182c578-166e-4201-bf9d-5ec13bf3a395.vbs

MD5 f9b3216288370816b0b19ecf76fc4337
SHA1 cf18e298ee510077c1ab5fc79c100f4aad0a1120
SHA256 eb804a9a3bfca4e1d63d77440812e3ca6ec4874d9597bb21136716ea6bdf0c7c
SHA512 9d300943bb825a010602d1d8066e609943e3b6cfcdbcfcdd355e3c40aa3ce85fd7e6d06f5a88bb696decf9035cf8034fbec810c78691ff98326063f9b563a637

memory/1432-342-0x0000000001370000-0x0000000001512000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20241010-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Uninstall Information\spoolsv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX5B0E.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\b8efadc0803b95 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\Uninstall Information\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Windows Mail\en-US\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Uninstall Information\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\Windows Mail\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX5ADF.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Microsoft Office\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Windows Mail\en-US\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Uninstall Information\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Setup\State\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\IME\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\Cursors\audiodg.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\Offline Web Pages\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\Setup\State\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\Setup\State\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\Cursors\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\Offline Web Pages\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\IME\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\TAPI\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\Cursors\audiodg.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\Offline Web Pages\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\TAPI\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\IME\winlogon.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\TAPI\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Uninstall Information\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1668 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\cmd.exe
PID 1668 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\cmd.exe
PID 1668 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\cmd.exe
PID 612 wrote to memory of 2088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 612 wrote to memory of 2088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 612 wrote to memory of 2088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 612 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
PID 612 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
PID 612 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
PID 2668 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Uninstall Information\spoolsv.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W2tbEWSDqo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20272816811517310018-1390373246-1608324919-1314573328-1585965784-1244662269799342459"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3rpLXaa8e.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Uninstall Information\spoolsv.exe

"C:\Program Files\Uninstall Information\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\608a7d24-9261-4483-abdc-de1817c1c715.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6531a927-b2aa-4c94-8cf8-f037baacc273.vbs"

C:\Program Files\Uninstall Information\spoolsv.exe

"C:\Program Files\Uninstall Information\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d141fdb-af58-4a20-b467-6e47f0dad324.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3918262b-3937-44e7-af1c-f1fe2becc0ef.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0889572.xsph.ru udp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp

Files

memory/1668-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

memory/1668-1-0x0000000001180000-0x0000000001A78000-memory.dmp

memory/1668-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1668-3-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

memory/1668-4-0x0000000000250000-0x000000000025E000-memory.dmp

memory/1668-5-0x0000000000270000-0x000000000027E000-memory.dmp

memory/1668-7-0x00000000002B0000-0x00000000002CC000-memory.dmp

memory/1668-6-0x0000000000280000-0x0000000000288000-memory.dmp

memory/1668-12-0x0000000000830000-0x0000000000842000-memory.dmp

memory/1668-11-0x0000000000810000-0x0000000000818000-memory.dmp

memory/1668-10-0x00000000005E0000-0x00000000005F6000-memory.dmp

memory/1668-9-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/1668-8-0x0000000000290000-0x0000000000298000-memory.dmp

memory/1668-13-0x0000000000850000-0x000000000085C000-memory.dmp

memory/1668-15-0x0000000000840000-0x0000000000850000-memory.dmp

memory/1668-16-0x0000000000B00000-0x0000000000B0A000-memory.dmp

memory/1668-14-0x0000000000820000-0x0000000000828000-memory.dmp

memory/1668-17-0x0000000000C40000-0x0000000000C96000-memory.dmp

memory/1668-18-0x0000000000B10000-0x0000000000B1C000-memory.dmp

memory/1668-21-0x0000000000E90000-0x0000000000E98000-memory.dmp

memory/1668-20-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/1668-19-0x0000000000B20000-0x0000000000B28000-memory.dmp

memory/1668-23-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

memory/1668-24-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

memory/1668-25-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

memory/1668-27-0x0000000001000000-0x000000000100C000-memory.dmp

memory/1668-28-0x0000000001010000-0x000000000101C000-memory.dmp

memory/1668-30-0x0000000001020000-0x000000000102C000-memory.dmp

memory/1668-32-0x0000000001050000-0x000000000105E000-memory.dmp

memory/1668-34-0x0000000001170000-0x000000000117E000-memory.dmp

memory/1668-38-0x000000001B9C0000-0x000000001B9CA000-memory.dmp

memory/1668-39-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

memory/1668-37-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

memory/1668-36-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

memory/1668-35-0x000000001B990000-0x000000001B998000-memory.dmp

memory/1668-33-0x0000000001060000-0x0000000001068000-memory.dmp

memory/1668-31-0x0000000001040000-0x000000000104A000-memory.dmp

memory/1668-29-0x0000000001030000-0x0000000001038000-memory.dmp

memory/1668-26-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe

MD5 5d8505501b7faa4c7e541b0a32467a58
SHA1 ed0b9de10c38774af49d9279e25a8958817f33a7
SHA256 1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca
SHA512 a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 86ac014efc43cf459d29b32a36b6e262
SHA1 531463e31967c8920ab62e1125020575917f4f37
SHA256 4665a90f57b333a2fbcd0a42ae6d272d67bd27377a729a0d5fcc8e93de318370
SHA512 e95a45afea7079487bf72592bc402bad28e97ad518d50d3501a0bff2c01e639f7b79ae7b909b657925e7e4dc4d59e5b5191060654c790873f69ddba43a60c19b

memory/2188-97-0x000000001B110000-0x000000001B3F2000-memory.dmp

memory/1668-99-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

memory/2188-98-0x0000000002560000-0x0000000002568000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\W2tbEWSDqo.bat

MD5 aa0b9e0f88381eda8d944665d6da46ea
SHA1 d40b34a27fda89aac8b0ed4a84bd6aed977da5a3
SHA256 39993992eed25b350785f8a40589b971dbef574b393c05fe223f72d88c7fc223
SHA512 db5bb7052d4ef0716927f2f24c80159e5865e157c6c2b0c9bfd73a51d442ab31f42831640a888c01461817f8eabeb638df06cd47b30d37276e9e45ce1c7a7722

memory/1668-73-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

memory/2668-142-0x0000000000C20000-0x0000000000C32000-memory.dmp

memory/2668-143-0x000000001B640000-0x000000001B696000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2704-224-0x000000001B360000-0x000000001B642000-memory.dmp

memory/1040-245-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\q3rpLXaa8e.bat

MD5 9cd659e78563f6a2e3146fe63bcf9221
SHA1 2a190fa2a5255205a1af6133ca9a57685a34f5a7
SHA256 f1247a59e52c54d0688482543a6e6b45c42c592167117abf45eb4e4ef072077c
SHA512 e6b965276cd80d8309586e143dd6b3b209f2d03bf6ad1e2730e4c031ddb03317c842327d2a743322fd83d29846d2c7b1dfdccb078b8be3986c82bdf4ff98b633

memory/1928-269-0x00000000012D0000-0x0000000001BC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\608a7d24-9261-4483-abdc-de1817c1c715.vbs

MD5 198591adace4d5382e49473dfc678fd1
SHA1 60a4314573d45035af8b2c0bfcdbcc1c219d7b57
SHA256 0cfcf719dd54316bdb5700ca203daacf7ececfdb99717ed5e860a7225e2e2307
SHA512 b61b3cd39654597919bec92aac95ff3209fc8a39407e5266db7f14e71bc19ebfe6f31ffe33b5f61a2dbab698f2d1a7afe19002d1938488733095bc150f238772

C:\Users\Admin\AppData\Local\Temp\6531a927-b2aa-4c94-8cf8-f037baacc273.vbs

MD5 0b802e1cbfbdce7f7239ed80629f3332
SHA1 d479ca79ea96df2bf5d2548b7adf1646d60d0629
SHA256 7b35dc94bfb6a9ec507ef3a742dc2b9ed60abf67a67632f4f27c7f6534a066ac
SHA512 6f38315ba5ffc67e35223cf673ab159681e68e5c310b33e418635459e3f73ad1c2b8c9b03b00134bca36240623c3ae50625284b83e7cc83d183e7f56dfe58fc2

C:\Users\Admin\AppData\Local\Temp\0d141fdb-af58-4a20-b467-6e47f0dad324.vbs

MD5 3c55335b9cae1ab0ae39d030d1a16c90
SHA1 1d0c433df4badae55cb9f988eeebec7e03bd11bc
SHA256 d1e63386c78806d417c8ab0430b77b01c89848c92768cd9b3a080ebce16614c8
SHA512 651473bf680bd1be903e099505697642f5f59d2bd0f9823dcc07a47ccbedc374b82ffd4166e693b0fc8dbd99d9b802693b5bd2d54c51d48ebbe5606d8acc2686

Analysis: behavioral24

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\app.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3540 set thread context of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 set thread context of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 1384 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 1384 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 3540 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 3540 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 3540 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 3540 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 3540 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 3540 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 3540 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 3540 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe

"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/1384-0-0x0000000074FF2000-0x0000000074FF3000-memory.dmp

memory/1384-1-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/1384-2-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/1384-5-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/1384-6-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/1384-18-0x0000000074FF2000-0x0000000074FF3000-memory.dmp

memory/1384-19-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/1384-20-0x0000000074FF0000-0x00000000755A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\app.exe

MD5 2a36c9ca52118eb7a7364b577e156cd5
SHA1 83f62a4a8643b9dfd89f6750a1b5e63a9d525b17
SHA256 6fa17b9dbde9b2f03975a5b5f44d7d2d4153aed94bebbd2098939a3562dac901
SHA512 bfbea8459c5135b6b21a2dc5bd149b0f775e4d540f7868252beb4e344e9de6e9040cb791da04186d487d92ef45a890154f80e62ebd16ac828f81ac2f6071732a

memory/3540-33-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3540-32-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/1384-31-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3540-35-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3540-34-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2176-37-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2176-38-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2176-39-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/3540-40-0x0000000074FF0000-0x00000000755A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

MD5 5a733ef0de5e31e2e4b4abb016c0f251
SHA1 28644040a6deac35c20fa931b5d003a97293363e
SHA256 a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA512 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log

MD5 b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1 ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA256 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA512 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

memory/216-55-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3540-61-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2176-62-0x0000000074FF0000-0x00000000755A1000-memory.dmp

memory/2176-63-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20241023-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe

"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2880-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

memory/2880-1-0x0000000001190000-0x00000000011D0000-memory.dmp

memory/2880-2-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

memory/2880-3-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

95s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe

"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2896-0-0x00007FFFAFF83000-0x00007FFFAFF85000-memory.dmp

memory/2896-1-0x0000000000230000-0x000000000043A000-memory.dmp

memory/2896-2-0x00007FFFAFF80000-0x00007FFFB0A41000-memory.dmp

memory/2896-4-0x000000001AEE0000-0x000000001AEEE000-memory.dmp

memory/2896-3-0x0000000000D00000-0x0000000000D0E000-memory.dmp

memory/2896-6-0x00007FFFAFF80000-0x00007FFFB0A41000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20241023-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Windows\system32\schtasks.exe
PID 2600 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Windows\system32\schtasks.exe
PID 2600 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Windows\system32\schtasks.exe
PID 2600 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2600 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2600 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3048 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 3048 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 3048 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe

"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp

Files

memory/2600-0-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp

memory/2600-1-0x0000000000B90000-0x0000000000EB4000-memory.dmp

memory/2600-2-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 35110eedb3518d1905b88025bf11b77d
SHA1 c39e96cc0dcb14065984c3d3fbff331070e37feb
SHA256 1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd
SHA512 08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2

memory/3048-8-0x0000000000960000-0x0000000000C84000-memory.dmp

memory/3048-9-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

memory/3048-10-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

memory/2600-11-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

memory/3048-12-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe

"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2544-0-0x00007FF822563000-0x00007FF822565000-memory.dmp

memory/2544-1-0x000001EFDE530000-0x000001EFDE570000-memory.dmp

memory/2544-2-0x00007FF822560000-0x00007FF823021000-memory.dmp

memory/2544-4-0x000001EFE0270000-0x000001EFE0372000-memory.dmp

memory/2544-5-0x00007FF822560000-0x00007FF823021000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

103s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 3036 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 3036 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 3036 wrote to memory of 5360 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 3036 wrote to memory of 6004 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 3036 wrote to memory of 6004 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 3036 wrote to memory of 5540 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 5540 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 3036 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe

"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3036-1-0x0000013057850000-0x0000013057890000-memory.dmp

memory/3036-0-0x00007FFCAECC3000-0x00007FFCAECC5000-memory.dmp

memory/3036-2-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ui4gvzh.5iw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3520-13-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp

memory/3520-5-0x00000268AC4E0000-0x00000268AC502000-memory.dmp

memory/3520-14-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp

memory/3520-15-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp

memory/3520-18-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp

memory/3520-19-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a0407fd3b6a0e95729793e05880b558
SHA1 c704aff8e50b66cc5e7eaa51fe8fa41b0ef76ab6
SHA256 d641339de65c0d9ffd34a706fa9fcf408f2da61bdedf37fddad0ae9c8654e23e
SHA512 a8cf10aa0ad92bb7a6dc4da5d8445bd2482864612071f525b3d0da92357dad56c1a690f8755e2dc138c044387871cdf8a3af6493af8bfbb2e34214eb809a0f72

memory/3036-33-0x0000013071FD0000-0x0000013072046000-memory.dmp

memory/3036-32-0x0000013071F80000-0x0000013071FD0000-memory.dmp

memory/3036-34-0x00000130596F0000-0x000001305970E000-memory.dmp

memory/3036-42-0x0000013059750000-0x0000013059762000-memory.dmp

memory/3036-41-0x0000013059720000-0x000001305972A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a58f982c18490e622e00d4eb75ace5a
SHA1 60c30527b74659ecf09089a5a7c02a1df9a71b65
SHA256 4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d
SHA512 ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

memory/3036-58-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe

"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp""

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

memory/1052-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/1052-1-0x0000000000BE0000-0x0000000000F36000-memory.dmp

memory/1052-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/1052-4-0x0000000000320000-0x000000000032A000-memory.dmp

memory/1052-3-0x0000000000320000-0x000000000032A000-memory.dmp

memory/2724-7-0x000000006C691000-0x000000006C692000-memory.dmp

memory/2724-9-0x000000006C690000-0x000000006CC3B000-memory.dmp

memory/2724-10-0x000000006C690000-0x000000006CC3B000-memory.dmp

memory/2724-8-0x000000006C690000-0x000000006CC3B000-memory.dmp

memory/2724-11-0x000000006C690000-0x000000006CC3B000-memory.dmp

memory/2724-12-0x000000006C690000-0x000000006CC3B000-memory.dmp

memory/1052-13-0x0000000004CF0000-0x0000000004D30000-memory.dmp

memory/1052-14-0x0000000004CF0000-0x0000000004D30000-memory.dmp

memory/1052-15-0x000000007463E000-0x000000007463F000-memory.dmp

memory/1052-16-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/1052-17-0x0000000000320000-0x000000000032A000-memory.dmp

memory/1052-18-0x0000000000320000-0x000000000032A000-memory.dmp

memory/1052-19-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

103s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe

"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp""

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3928-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

memory/3928-1-0x00000000008A0000-0x0000000000BF6000-memory.dmp

memory/3928-2-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/3928-3-0x0000000005640000-0x000000000565C000-memory.dmp

memory/3928-4-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/3928-5-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/5772-7-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/5772-8-0x0000000005870000-0x0000000005E98000-memory.dmp

memory/5772-6-0x0000000002E20000-0x0000000002E56000-memory.dmp

memory/5772-9-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/5772-10-0x0000000074FA0000-0x0000000075750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txhnjxin.nba.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5772-16-0x0000000005650000-0x0000000005672000-memory.dmp

memory/5772-21-0x0000000005EA0000-0x0000000005F06000-memory.dmp

memory/5772-22-0x0000000006060000-0x00000000060C6000-memory.dmp

memory/5772-23-0x00000000060D0000-0x0000000006424000-memory.dmp

memory/5772-24-0x0000000006020000-0x000000000603E000-memory.dmp

memory/5772-25-0x0000000006440000-0x000000000648C000-memory.dmp

memory/5772-26-0x00000000069D0000-0x0000000006A02000-memory.dmp

memory/5772-37-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/5772-38-0x0000000006980000-0x000000000699E000-memory.dmp

memory/5772-27-0x000000006D230000-0x000000006D27C000-memory.dmp

memory/5772-39-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/5772-40-0x00000000075D0000-0x0000000007673000-memory.dmp

memory/5772-42-0x0000000007730000-0x000000000774A000-memory.dmp

memory/5772-41-0x0000000007D70000-0x00000000083EA000-memory.dmp

memory/5772-43-0x00000000077A0000-0x00000000077AA000-memory.dmp

memory/5772-44-0x00000000079B0000-0x0000000007A46000-memory.dmp

memory/5772-45-0x0000000007930000-0x0000000007941000-memory.dmp

memory/5772-46-0x0000000007980000-0x000000000798E000-memory.dmp

memory/5772-47-0x0000000007990000-0x00000000079A4000-memory.dmp

memory/5772-48-0x0000000007A90000-0x0000000007AAA000-memory.dmp

memory/5772-49-0x0000000007A70000-0x0000000007A78000-memory.dmp

memory/5772-52-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/3928-53-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

memory/3928-54-0x00000000075C0000-0x00000000075C8000-memory.dmp

memory/3928-55-0x000000000A9B0000-0x000000000A9E8000-memory.dmp

memory/3928-56-0x00000000075F0000-0x00000000075FE000-memory.dmp

memory/3928-57-0x0000000074FA0000-0x0000000075750000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe

"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"

Network

N/A

Files

memory/2460-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

memory/2460-1-0x0000000000D70000-0x0000000000F7A000-memory.dmp

memory/2460-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/2460-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2460-4-0x00000000003E0000-0x00000000003EE000-memory.dmp

memory/2460-5-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2025-03-22 06:17

Reported

2025-03-22 06:45

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6060 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 6060 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 6060 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 6060 wrote to memory of 5432 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5432 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5432 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5432 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5432 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4556 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4556 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4556 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4556 wrote to memory of 6012 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 6012 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 6012 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 6012 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 6012 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4672 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4672 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4672 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4672 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5456 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5456 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5456 wrote to memory of 5776 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5456 wrote to memory of 5776 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5776 wrote to memory of 508 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5776 wrote to memory of 508 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5776 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5776 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3548 wrote to memory of 6040 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3548 wrote to memory of 6040 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3548 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3548 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4088 wrote to memory of 5704 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 4088 wrote to memory of 5704 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 4088 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4088 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3132 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3132 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3132 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 3132 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 1380 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1380 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1380 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 1380 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 3108 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 3108 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 3108 wrote to memory of 5772 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3108 wrote to memory of 5772 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5772 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5772 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5772 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5772 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5864 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5864 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5864 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5864 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3680 wrote to memory of 5700 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 3680 wrote to memory of 5700 N/A C:\Users\Admin\AppData\Roaming\Output.exe
PID 3680 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3680 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3536 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3536 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3536 wrote to memory of 5304 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3536 wrote to memory of 5304 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe

"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv n1nmVN9oGUygqVrAdI+tJg.0.2

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
N/A 127.0.0.1:7000 tcp

Files

memory/6060-0-0x00007FF8DB273000-0x00007FF8DB275000-memory.dmp

memory/6060-1-0x0000000000500000-0x0000000000556000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 e0918682feb10b28a39a9cfbf4d2d90c
SHA1 c33f8518747e96955387bac3c8299eea24357fe0
SHA256 8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01
SHA512 dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7

memory/4140-27-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp

memory/5432-30-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp

C:\Users\Admin\AppData\Roaming\Output.exe

MD5 3ac2fbaa37549eb0c50eedbca0da41c2
SHA1 a486d241a02989d2adbff9785c7c39e68a2934af
SHA256 815021055de7349aafb51c6788bfd8f1a0f9fc242e842d6b8bf639283a4658fd
SHA512 76ac7165eba850a34e9dd459c538e1e0ceaee09896e711dabc1272c76a0a79b0826124cec4c43d626b390c222367af55b3de452312e51725f994d218cbe0e7f7

memory/5432-32-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp

memory/5432-26-0x00000000005A0000-0x00000000005E6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/4140-21-0x00000000006B0000-0x00000000006C2000-memory.dmp

memory/4140-90-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp

memory/4140-94-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp

memory/4140-93-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp