Analysis Overview
SHA256
6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f
Threat Level: Known bad
The file archive_7.zip was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Njrat family
DcRat
DCRat payload
Detect XenoRat Payload
Quasar RAT
Umbral family
Xworm
Dcrat family
Xworm family
Remcos
Remcos family
UAC bypass
Detect Umbral payload
Vipkeylogger family
Quasar family
Quasar payload
Process spawned unexpected child process
Xenorat family
njRAT/Bladabindi
VIPKeylogger
Umbral
DCRat payload
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Reads WinSCP keys stored on the system
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies registry class
Detects videocard installed
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
outlook_win_path
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-22 06:08
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Dcrat family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect XenoRat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Njrat family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral18
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
160s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings | C:\Users\Admin\Recent\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\TextInputHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'
C:\Users\Admin\Recent\RuntimeBroker.exe
"C:\Users\Admin\Recent\RuntimeBroker.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d481ea4f-eaf6-4f5a-92c5-6292586b303f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5616a14c-de2f-44b8-8c2d-ce6d68eaa14c.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b943ece4-5f3c-499e-9bf5-922357f3dbdf.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f816631-af94-4dde-a924-c43d5fe1283f.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e3198d-7084-42ad-920f-dba124e31d11.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac061e4-e7f9-4dbe-b070-eaf0ceb916dd.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2395a278-c7cc-4517-a65c-150eb79e12fe.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7db5887-4ac4-41e2-b648-4f3be53febc0.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eefd4a25-c381-43c2-b675-8731b5239b7f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69f96b2c-1b5c-46ee-b51c-a4898a1c55ce.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cce6cd55-c856-4800-82ef-80d625b9f183.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeaa8eac-87ee-449e-92d1-6c91bb3e4ec1.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa88264b-173a-4c9a-a2fb-86f9f5df373c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f14c8f2-c763-4ae1-9acf-86389fff29d6.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ddd023e-b825-4396-b032-436baa5096f6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d25e765-068b-4d09-a655-263c7795fc3d.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f005341-5865-4d0d-8495-42dedb8da939.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\740f474d-fbc6-4e70-9a96-b09bad997ed3.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eab20ebb-59de-4491-9e31-fb0ca465f98b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aac0e408-793d-4bec-8df3-2f946547d6db.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db098804-eaa4-4fea-b1a4-998ccebcf533.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b360418a-9589-475c-8281-ea23d60cd333.vbs"
C:\Users\Admin\Recent\RuntimeBroker.exe
C:\Users\Admin\Recent\RuntimeBroker.exe
Network
| Country | Destination | Domain | Proto |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
Files
memory/2732-0-0x00007FFF4DAA3000-0x00007FFF4DAA5000-memory.dmp
memory/2732-1-0x0000000000770000-0x0000000000912000-memory.dmp
memory/2732-2-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp
memory/2732-5-0x0000000002A20000-0x0000000002A30000-memory.dmp
memory/2732-4-0x0000000002BB0000-0x0000000002C00000-memory.dmp
memory/2732-3-0x0000000002B40000-0x0000000002B5C000-memory.dmp
memory/2732-7-0x0000000002B80000-0x0000000002B88000-memory.dmp
memory/2732-8-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/2732-6-0x0000000002B60000-0x0000000002B76000-memory.dmp
memory/2732-9-0x0000000002BA0000-0x0000000002BA8000-memory.dmp
memory/2732-10-0x0000000002C00000-0x0000000002C0C000-memory.dmp
memory/2732-11-0x0000000002C10000-0x0000000002C1C000-memory.dmp
memory/2732-13-0x000000001B610000-0x000000001B61E000-memory.dmp
memory/2732-12-0x000000001B600000-0x000000001B60A000-memory.dmp
memory/2732-16-0x000000001B640000-0x000000001B64A000-memory.dmp
memory/2732-15-0x000000001B630000-0x000000001B638000-memory.dmp
memory/2732-14-0x000000001B620000-0x000000001B628000-memory.dmp
memory/2732-17-0x000000001BE10000-0x000000001BE1C000-memory.dmp
C:\Users\Public\AccountPictures\SppExtComObj.exe
| MD5 | 8b03d1f60bdf0b6465c0623109e7269e |
| SHA1 | 33fb1f09f53ca182e1112ed973fce8fa97e4398f |
| SHA256 | 1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf |
| SHA512 | 8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0 |
C:\Users\Public\AccountPictures\SppExtComObj.exe
| MD5 | cf2b637d6ce2f00e73f9c384f56e4c7d |
| SHA1 | b51ead76e7487b65815785a439466cf64dc1fb24 |
| SHA256 | eb3bc089086650585b14b85f61cf176ec41df79ebdede3b1de4a1ed7ff9e97ab |
| SHA512 | 5532ed4e22f304c729143bbb36dbe33b65e10c8c02563db19e5e2a9edde43730091bbb163d0b511af68537ff4ddfd0cfcdc6c9966deb7919beb4e247f5a638be |
C:\dfe2e59cddd00040f555dab607351a1d\smss.exe
| MD5 | 4ae12627b99be1ce48139f0c094fee57 |
| SHA1 | cbae347753b7170ce6e253ab2ebc22d3b76e94d2 |
| SHA256 | d49698d763409952744118ba7aa38019eedabae69719978a41ad54e074029d7a |
| SHA512 | 0467df50ab20127d2c76f22c15f54799f2f9c1d384d0b3eac1724544719de33ff20dcba870f8b37b420263324202e3b7417b7da0c1a3e466bc4339d7cb08e34c |
memory/2732-189-0x00007FFF4DAA3000-0x00007FFF4DAA5000-memory.dmp
memory/2732-213-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp
C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe
| MD5 | 6872948a18b1dfac9e62136f806bb439 |
| SHA1 | 1d4d8fda1d3ddfaa4a6c6d272d5121e5cbbd7bbf |
| SHA256 | 9a7a4e98dce80395ca80d0ba80d22c2479ffdcc23332eb97d165402f6494bbdc |
| SHA512 | 92420579786621a156a7660b4445fc9bf1b417b0212a41129e783a02e97f3b040b236e1dd79c8419e1334354f68963d50e29d4ea99b5de3c22e383e875df0490 |
memory/5116-333-0x00000211E40F0000-0x00000211E4112000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvbdz55r.b3p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2732-507-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b0bd0ba1b6d523383ae26f8138bac15f |
| SHA1 | 8d2828b9380b09fe6b0a78703a821b9fb8a491e5 |
| SHA256 | a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1 |
| SHA512 | 614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 48b2b59bd1016475be4de4e087bb8169 |
| SHA1 | ecf9263187e29dc612224a6e1a4c5243ed110040 |
| SHA256 | df0e6548235499fc2881ef422771ee034eb86dadbcecb94f4c324ea1a0a7a209 |
| SHA512 | 2186e40f82a80a3a89ec630c4d148b9f10424888635632e188eb32fc3f2d91e9a59fdf205810f4d33d3319cf35f9fcb8808c89ab7f7d553296c3969c1a1feb03 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | af1324e7a4e3e6cfc7ee7add0391f0b9 |
| SHA1 | 19117163248a95e5ceb83b6dc8c21e396f33bcaf |
| SHA256 | a31abfc5cc0132c488495c81046d7f3c7eed1e7a6923d94ffd85b58436871a52 |
| SHA512 | 6a05a892ec41527782b418a2f232300da84eff105b2d9c1cb55c7e9ce1ef13beab2d57b4bf3cc73d1e5b2710010f3622500c4d8e0cb2fa8e5365b6ff007e9d00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1b2770b6e93963548483b9857a191b12 |
| SHA1 | da1f36e92f6f116ea4d6300b279be899ed6413a8 |
| SHA256 | 4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b |
| SHA512 | 6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a0a5a1b68ad6facd1636fe5f5e1c4359 |
| SHA1 | e4fee6d6a2476904d9ba14d9045341df3616ca4a |
| SHA256 | 7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a |
| SHA512 | 1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 452593747a6f6f0b2e08d8502e1ec6e7 |
| SHA1 | 027c3a7f5f18e7a1e96bbf2a3d3c267e72821836 |
| SHA256 | 495c62eea4eb41269dbcdba0c0acd65d27a407ac837f5c04feaaa0542963b33d |
| SHA512 | 17a8288467e77ade8e81bf7620e9013ff3690c2577a172ce30734c65ca2d2328afd3737dd6a9fb6b4d7ba673767f094986f6b996f5920d7e1cdecdf019e37488 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 30552f7617959d837dbc5167ec0a3824 |
| SHA1 | a471b8d31983b3885cee92ead3f3f2b6621c1ebe |
| SHA256 | c8f05399999cda0a1d159d9be58d5d7e39b783290d57a238cfdb22c000301c18 |
| SHA512 | 37af8e93814f95ea8773b093803ca74475fcc2f0006bcbbd0ecc28d6ab6acb742afed81d5b859f6429128761b440a355f2b35fe38242fae9d8069c8ab23c84b2 |
C:\Users\Admin\AppData\Local\Temp\d481ea4f-eaf6-4f5a-92c5-6292586b303f.vbs
| MD5 | ffcad7faabbc2ae13a70e31e5051dec8 |
| SHA1 | 6310e51e39b79a06eb76c40f7b7da1330737d36f |
| SHA256 | c287d949a5efda989a10179e6091090c6c3c653bed18423e64de23f2b4aa1ef9 |
| SHA512 | a314f9d3110623f8f7f7e3c0097c291d32bde19978ca3958e199a4dbb118ecb4f08f19bc870b7e9abf7981114e2a4195ae5428195eb7c6ef1440005009f9d40e |
C:\Users\Admin\AppData\Local\Temp\5616a14c-de2f-44b8-8c2d-ce6d68eaa14c.vbs
| MD5 | a16ac61e071c7a8babbd6fe177c24503 |
| SHA1 | c4fc328a93e45af371648b0f87d04fa1a419b36e |
| SHA256 | 8113e0b6dbf74d84cf0b201e6c07f0c675d639c1d9f7c395446aa8d171ec1d57 |
| SHA512 | 7b416dc315c48f32a59bd947ffb236808a5927200cd38e10b88c74b308c6faf526c49437b99b736259618cfaff484071b8ec7cb49c41d7514d89c9fccf1e44a6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | 3690a1c3b695227a38625dcf27bd6dac |
| SHA1 | c2ed91e98b120681182904fa2c7cd504e5c4b2f5 |
| SHA256 | 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73 |
| SHA512 | 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1 |
C:\Users\Admin\AppData\Local\Temp\b943ece4-5f3c-499e-9bf5-922357f3dbdf.vbs
| MD5 | ea2ba168a1a960d3bf74d47ff2723ed1 |
| SHA1 | 57d21973ece5d83cabed544569dacc10e00d5b21 |
| SHA256 | f4947b4588965189fb0eeeb75efcefa3bfb881adc38590c8ef3596f69f92d0a8 |
| SHA512 | 02e945330d47813296c0709fc59e916e7f82a1bf8548fc5503b61ef719984ceb88757783b501e7d127344ae418e25d20195f72ceb0f1aaa81b59909c1368b1d7 |
C:\Users\Admin\AppData\Local\Temp\10e3198d-7084-42ad-920f-dba124e31d11.vbs
| MD5 | d83ec6d086dcf7efe0f3e0e064f73587 |
| SHA1 | b527001a736133532c54ba8e6a18e096cb5dee5a |
| SHA256 | a03de9211655120fdddb6c2480018f95b0e42a235e664a4337a2bbda71811b35 |
| SHA512 | f50618fa67de7f7c597f56a4bc0236791e9ae651240085fa1a89b27e1c8ff3eeee2976df01e95b966147bfbb837ce8fdecffeeefea8d0a1d9a09d7e37d27cf13 |
C:\Users\Admin\AppData\Local\Temp\2395a278-c7cc-4517-a65c-150eb79e12fe.vbs
| MD5 | 65b9b593f51e829b5b210db754293a16 |
| SHA1 | 0e54fc6a77d154dc9300d73009c38850f2e19c98 |
| SHA256 | 5ae198ef84c1dfa044fdd758e7ad3ee87fd35aa0d371a92c4de4a8854cc7ef3e |
| SHA512 | c7df026a2bf2d384d9c03d0c59f2463f6af188fb9bfbb86141e6fbfa274ad097c1e6a7a71c3a16f07e4916f04f5c926c490f6ac999ab85a7191aa1c53322db38 |
C:\Users\Admin\AppData\Local\Temp\eefd4a25-c381-43c2-b675-8731b5239b7f.vbs
| MD5 | 5394c6d24af841729f977aaeb6b19d76 |
| SHA1 | e9aa288ed65738b440fe284b4e6e3b37ae8aa8b5 |
| SHA256 | eafa6802bd776452cf7aff79b5bea8070265e58e2092df7c78a112031bf8a7b4 |
| SHA512 | 20c478815dc9f33101b471a7e5f8eddbe84f64f5d807b322f6d99295d444c1abdd80c4c930473d78b183e141269167612e1997a8b4ad9a4dab99ec20efb2a39f |
C:\Users\Admin\AppData\Local\Temp\cce6cd55-c856-4800-82ef-80d625b9f183.vbs
| MD5 | 9d00d2598027ebd4b9f00eaa1db4be06 |
| SHA1 | c5092622cf0fe9d42c31daaad7256b3d7385382c |
| SHA256 | 49e789b54de3aa7d8296baaee8d7abbcd81f2165705708902085316cfad4e8d5 |
| SHA512 | 8929d5c594551f1b41eaee2d9d90deb2e433d55bc7b7745a18573a1a9336089f5f101d8d9bb8723c932416f15d6da8cc81a10cf92d754f5855233cb2b1d22278 |
C:\Users\Admin\AppData\Local\Temp\fa88264b-173a-4c9a-a2fb-86f9f5df373c.vbs
| MD5 | 0bf93df1b6b79cb3ec153a918419f304 |
| SHA1 | c80755e45c3bf5e644641b652488978192fa4bf4 |
| SHA256 | 66f2b9832f58a560793952ffad0b0e80728cd785b00ffeb2bddc7cfcec8a905c |
| SHA512 | bbba78f899c3b697a0c823448b5c16443905ee730626cad6e10eb9d064209f7caadd373d8bec67493dca2bdf03111060d8723154a62abc92272e13eb8857bc2f |
C:\Users\Admin\AppData\Local\Temp\5ddd023e-b825-4396-b032-436baa5096f6.vbs
| MD5 | a29206e37e9e9cd58530b2072ecec39c |
| SHA1 | ae7dccdae8f78ba47322df83dd2f75376532d318 |
| SHA256 | d12875af02bd87eb1a9c976762a85676681f9d01a77d0e68c83d5c9306bacf0f |
| SHA512 | c22374faecc55ab82cbfb7b0dc55ffacd7fb4a59e10eca83a6ed1c71d681ef863f65c53096f79d9a49de7c014670066609389edaf1f0756602e9852b09947908 |
C:\Users\Admin\AppData\Local\Temp\0f005341-5865-4d0d-8495-42dedb8da939.vbs
| MD5 | 0d06d8856eafbd12e01b3f01a6b1ff66 |
| SHA1 | 5a49ff5de9b27d19cc1b7e55f9b85509a2f92d12 |
| SHA256 | 83201592612db6e37cd267cf51b5cfb4e2c6130492d5f4431d5bbb0c3bdff08b |
| SHA512 | 5004913752d69f45da91b420310c0ba6fc9558f33400da486b15ae451fe77a9d9813a90e47f1985c0fa9f28249e3c321ccb50c7c312edd479fe51276458d9cb5 |
C:\Users\Admin\AppData\Local\Temp\eab20ebb-59de-4491-9e31-fb0ca465f98b.vbs
| MD5 | d8b3c75c6d2563a995d6f012a0c6d2d4 |
| SHA1 | 82d2eb4f976431cb381b51f7abbbc0387b96589c |
| SHA256 | c2cbef1fd8f876d78bf04a4e097201413faf236d52686b867a005661c3858c03 |
| SHA512 | 78e4fae2904da470a9d1403b171aeedb67d2715f7f78802d7bd32cb9467a798bdd198bf9c758106ea6b6d4c88a209f2e0c04e7e85e26e4d34b43f9407af029a0 |
C:\Users\Admin\AppData\Local\Temp\db098804-eaa4-4fea-b1a4-998ccebcf533.vbs
| MD5 | f86d6e28dee4ae5a8dcd6b6b0e07a2b3 |
| SHA1 | 64caf0f9b2a5eacc7864f431b9b68f349d27f20e |
| SHA256 | 34d765f215b75a72fa05c7230ed57f307280cb8b5e58844a24ad5a2d18d6a66f |
| SHA512 | b481d0f8c0540aeb7888c8a8f1c2b2385cd1c8db5a1968d84ac7ce15b3b571a3dba053a92d3c0b92bc851e2e702d2a9c02b0601f813b26c1d9c808682891442c |
Analysis: behavioral23
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:12
Platform
win7-20241010-en
Max time kernel
146s
Max time network
167s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2904 set thread context of 2148 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 2904 set thread context of 2096 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe
"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
Files
memory/2348-0-0x0000000077BE0000-0x0000000077D89000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | 52fb55a1222aba62a80fe4888cd5f0a0 |
| SHA1 | db6bda74d90463c533a29e49cc715242661d562e |
| SHA256 | e0c3c50f574a2d872991aec7082e075f3813e8c913c679a8e4f5e1d3606eeafd |
| SHA512 | 747447b49572c1cb74fdb18d3551beff0e4065270555e1459f13353a8b4c3af7e1bc95ae601d56556728f95717c103b9e8a798d937e34a19c45b04089902d3d8 |
memory/2904-27-0x0000000077BE0000-0x0000000077D89000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5B88.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5b8dc854ffde479cf114866dc67a1c0 |
| SHA1 | 14e3e4622a05a5cbdd313909265434bb840ede7b |
| SHA256 | 8a3974fbd90e9aec41f3cd345795bdfe242e8c43759f19ca775fc507e0b38ab9 |
| SHA512 | fec44464522b17068fab0a425bcdfcf12d791a370898262a8e60713bb3a5f1ae411cebdc381f54ab51871aee0e7779df61b2fb2a5d237c92e189893e597987b2 |
C:\Users\Admin\AppData\Local\Temp\Tar6A87.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
memory/2148-84-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2148-81-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2148-77-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2096-86-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2096-85-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2096-76-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2096-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2148-61-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2148-59-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2148-57-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2148-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2148-63-0x0000000000080000-0x0000000000090000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240729-en
Max time kernel
139s
Max time network
158s
Command Line
Signatures
Remcos
Remcos family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2340 set thread context of 2168 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe
"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp |
Files
memory/2188-0-0x0000000074351000-0x0000000074352000-memory.dmp
memory/2188-8-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2188-11-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2188-12-0x0000000074350000-0x00000000748FB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
| MD5 | 0a18d56f34538070a8a715ec937a8929 |
| SHA1 | 0ae813ceb71e5dc1e4ace6b1def908041bf4b3b4 |
| SHA256 | 8a7e36230788c35f10b15313f478cd339dd30e609bf25d56be769a22a8bc0736 |
| SHA512 | 4264c9e915db1a30901025078828c82c353855f255fbc5ddefe75078dc0f5dc1eaa2a1fe8270c11fc8f051319409fbb2e52938399f51334a43291a7f4a50f8e6 |
memory/2340-31-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2340-40-0x0000000074350000-0x00000000748FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8288.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40ca96e0ed10369126a9e46b5a5f3a63 |
| SHA1 | 2cec116f70862928f2d11e39b0d67dd7d74a28e6 |
| SHA256 | 2ca5a4fe29a9023cd5c246f6b9da8dab9c0890b69f2abc316f1d3cae86631558 |
| SHA512 | 99e7a81083dc1d2da1af995f5ff9be693b6c48d432fce5f4e08e68f9f02c83e28fe09b944b6eb9e0f0323b08b5fef2da4604c88eea25b6a930a81f10381cb9db |
memory/2188-30-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2340-42-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2340-41-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2168-56-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-65-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-64-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-63-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-60-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-59-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2340-66-0x0000000074350000-0x00000000748FB000-memory.dmp
memory/2168-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2168-52-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-48-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-46-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-50-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-44-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2168-69-0x0000000000400000-0x0000000000417000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240903-en
Max time kernel
119s
Max time network
152s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2452 set thread context of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LbXyTV.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbXyTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp"
C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.16.1:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2452-3-0x0000000000B30000-0x0000000000B40000-memory.dmp
memory/2452-2-0x0000000074610000-0x0000000074CFE000-memory.dmp
memory/2452-1-0x0000000000B40000-0x0000000000BF2000-memory.dmp
memory/2452-0-0x000000007461E000-0x000000007461F000-memory.dmp
memory/2452-4-0x000000007461E000-0x000000007461F000-memory.dmp
memory/2452-5-0x0000000074610000-0x0000000074CFE000-memory.dmp
memory/2452-6-0x0000000004680000-0x000000000470E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | de4be458c2cfefc6beee3c56062c6183 |
| SHA1 | fe3886cda20167b5d7bf95fa9b378365217c1d66 |
| SHA256 | 39a329d4ae9ffd316b6fa338127d7d727bb17cf30e0cc0178f322b2933cbf7d1 |
| SHA512 | 7d9ea9a7a0df15d72be8d378a8546a6d43a56bdc319754746060f404a1f14712b82a0498e95b9684111db313c9f7e7a53a3e496afbed65a866ca6b8071d1b8c9 |
C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp
| MD5 | 466b40fe54d1ea6c03f569d5bb3607e2 |
| SHA1 | 1699e64c15e44b536752d2bd40799ffffbea167c |
| SHA256 | d6e49379d1626cb5811940cfb7b29b40cc313c6986b80388ed603db300ac4dc2 |
| SHA512 | 6566bff61ee5c8c730372e65fc2dd7088d94ddd5c5a796adfb2efcde2052585da18693b55173c58cadfb7a800baed853760f82c5b3a97fd3338634e5ff5dda6a |
memory/2604-19-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2604-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2604-30-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2604-29-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2604-28-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2604-25-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2604-23-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2604-21-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2452-31-0x0000000074610000-0x0000000074CFE000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:13
Platform
win10v2004-20250314-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4068 set thread context of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LbXyTV.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbXyTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6EA.tmp"
C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.112.1:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/4068-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp
memory/4068-1-0x00000000006E0000-0x0000000000792000-memory.dmp
memory/4068-2-0x00000000057A0000-0x0000000005D44000-memory.dmp
memory/4068-3-0x00000000051F0000-0x0000000005282000-memory.dmp
memory/4068-4-0x0000000005190000-0x000000000519A000-memory.dmp
memory/4068-5-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4068-6-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/4068-7-0x0000000074D1E000-0x0000000074D1F000-memory.dmp
memory/4068-8-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4068-9-0x0000000006380000-0x000000000640E000-memory.dmp
memory/4068-10-0x0000000006600000-0x000000000669C000-memory.dmp
memory/3496-15-0x00000000022D0000-0x0000000002306000-memory.dmp
memory/3496-16-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/3496-17-0x0000000004E40000-0x0000000005468000-memory.dmp
memory/3496-18-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC6EA.tmp
| MD5 | 4e219603837fe6ee25d4576f583233dc |
| SHA1 | 8a9eb16f1270e1edc571a42dafd7c3b082ce039e |
| SHA256 | da153726efe377f2ef593789dd19efa0c784bb2e343f2388c8823da46fb01fb4 |
| SHA512 | 898c875f3fa8388b8c939f20fc547fd1438e038fce438d75e27301641b3ce00fd582311fec565cc45d95e6480efc81d6af1c6f6c8577901192169460a37a681e |
memory/3496-20-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/5184-25-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/3496-23-0x0000000005470000-0x00000000054D6000-memory.dmp
memory/3496-27-0x0000000005600000-0x0000000005954000-memory.dmp
memory/3496-22-0x0000000004D10000-0x0000000004D32000-memory.dmp
memory/4068-28-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/5184-29-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pd4cslzm.5ib.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4088-21-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3496-24-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/3496-48-0x0000000005BB0000-0x0000000005BCE000-memory.dmp
memory/3496-49-0x0000000005C40000-0x0000000005C8C000-memory.dmp
memory/3496-50-0x0000000006DA0000-0x0000000006DD2000-memory.dmp
memory/5184-61-0x00000000711E0000-0x000000007122C000-memory.dmp
memory/3496-71-0x0000000006170000-0x000000000618E000-memory.dmp
memory/5184-72-0x0000000007580000-0x0000000007623000-memory.dmp
memory/3496-51-0x00000000711E0000-0x000000007122C000-memory.dmp
memory/5184-74-0x00000000076B0000-0x00000000076CA000-memory.dmp
memory/5184-75-0x0000000007720000-0x000000000772A000-memory.dmp
memory/5184-73-0x0000000007CF0000-0x000000000836A000-memory.dmp
memory/3496-76-0x0000000007170000-0x0000000007206000-memory.dmp
memory/5184-77-0x00000000078B0000-0x00000000078C1000-memory.dmp
memory/5184-79-0x00000000078F0000-0x0000000007904000-memory.dmp
memory/5184-80-0x00000000079F0000-0x0000000007A0A000-memory.dmp
memory/5184-81-0x00000000079D0000-0x00000000079D8000-memory.dmp
memory/5184-78-0x00000000078E0000-0x00000000078EE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d98726e7cdd069cf6da75b757bf34e33 |
| SHA1 | 16e512e7f9e25637de274ee343b59c4e72db71e8 |
| SHA256 | 7211efda1373db1ddf0c3f84fe6050c3650c5e0ebc9cfae88b8ff31aa9870bcf |
| SHA512 | 1a47ad824479b7b5749e801c99d74b6a600c387381aa1fce5609877fa742bc8ae4ecc23570d6fcf80a7a0d6407d11ad9a19493f029fbbc7bf1f21129afd94fd7 |
memory/5184-88-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/3496-87-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4088-89-0x0000000006E50000-0x0000000007012000-memory.dmp
memory/4088-90-0x0000000006CF0000-0x0000000006D40000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20241023-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Protector.exe" | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe
"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iznarf.bplaced.net | udp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
Files
memory/2908-0-0x000007FEF69BE000-0x000007FEF69BF000-memory.dmp
memory/2908-1-0x000007FEF6700000-0x000007FEF709D000-memory.dmp
memory/2908-3-0x000007FEF6700000-0x000007FEF709D000-memory.dmp
memory/2908-2-0x000007FEF6700000-0x000007FEF709D000-memory.dmp
memory/2908-4-0x000007FEF6700000-0x000007FEF709D000-memory.dmp
memory/2908-7-0x000007FEF6700000-0x000007FEF709D000-memory.dmp
memory/2908-8-0x000007FEF69BE000-0x000007FEF69BF000-memory.dmp
memory/2908-9-0x000007FEF6700000-0x000007FEF709D000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
149s
Max time network
168s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 4776 | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2512 wrote to memory of 4776 | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2512 wrote to memory of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 2512 wrote to memory of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 3364 wrote to memory of 5852 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3364 wrote to memory of 5852 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe
"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.55:4782 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp |
Files
memory/2512-1-0x00000000003B0000-0x00000000006D4000-memory.dmp
memory/2512-0-0x00007FFDD8543000-0x00007FFDD8545000-memory.dmp
memory/2512-2-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 35110eedb3518d1905b88025bf11b77d |
| SHA1 | c39e96cc0dcb14065984c3d3fbff331070e37feb |
| SHA256 | 1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd |
| SHA512 | 08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2 |
memory/3364-9-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp
memory/3364-10-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp
memory/3364-11-0x000000001B040000-0x000000001B090000-memory.dmp
memory/3364-12-0x000000001D140000-0x000000001D1F2000-memory.dmp
memory/2512-13-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp
memory/3364-14-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240903-en
Max time kernel
150s
Max time network
161s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Executes dropped EXE
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\RCXE5FE.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\RCXE5FF.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\CrashReports\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Google\CrashReports\cc11b995f2a76d | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\CrashReports\RCXBFAA.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\RCXD192.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\RCXC662.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Portable Devices\RCXC8D4.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\fr-FR\RCXCB46.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\RCXCD89.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\6ccacd8608530f | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\0a1fd5f707cd16 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\1610b97d3ab4a7 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\fr-FR\RCXD3A6.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\fr-FR\dwm.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\RCXE38C.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\RCXD193.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\fr-FR\RCXD3B7.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXD628.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXD629.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\RCXD89A.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\RCXD89B.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\RCXE38D.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\7a0fd90576e088 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\cc11b995f2a76d | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\RCXC661.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\fr-FR\6ccacd8608530f | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\System.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Windows Mail\fr-FR\dwm.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Portable Devices\csrss.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Google\CrashReports\winlogon.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\csrss.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Windows Mail\fr-FR\6cb0b6c459d5d3 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\explorer.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\CrashReports\RCXBF2C.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows Portable Devices\RCXC866.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\fr-FR\RCXCAD8.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\046b773a97cb66 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\RCXCD69.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\System.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\explorer.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppPatch\Custom\Custom64\csrss.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Windows\AppPatch\Custom\Custom64\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\RCXE870.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\RCXE871.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Windows\AppPatch\Custom\Custom64\csrss.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe
"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a0" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\OSPPSVC.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367d32be-5bd8-432d-8a4b-cf462ccb5190.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d7f4857-fd77-4ebf-9743-a7ce76ad4959.vbs"
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\558e0494-7bb6-46d1-8da6-b7d7bd26b796.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17ef93a9-ea76-482e-ae90-a1a15a6afe67.vbs"
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aa97c8d-c938-4752-be83-cf16ba904cd5.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb9f58f-91fa-4bfd-9034-59f39cc2ceed.vbs"
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\960df572-8523-4233-a5bc-eabd754d9a2c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3220d702-8c60-4c65-aa9c-7283d27b9f48.vbs"
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7468d560-5b21-4138-aacd-8df13e67b10f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a38f62d4-ecfe-4316-81c7-15798ac32855.vbs"
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c162ae6-1789-4fc0-b1e4-cebed116dd99.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6069be-d655-4237-83da-dd02e2db6cfc.vbs"
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecdd0072-ac3f-4e19-a57f-4f9c266bab2a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1633e71-b672-468f-96e6-9a062db59ddc.vbs"
Network
| Country | Destination | Domain | Proto |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp |
Files
memory/1712-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp
memory/1712-1-0x0000000000CE0000-0x0000000000ECA000-memory.dmp
memory/1712-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
memory/1712-3-0x00000000003D0000-0x00000000003EC000-memory.dmp
memory/1712-4-0x00000000003F0000-0x00000000003F8000-memory.dmp
memory/1712-5-0x0000000000510000-0x0000000000520000-memory.dmp
memory/1712-6-0x0000000000A40000-0x0000000000A56000-memory.dmp
memory/1712-7-0x0000000000520000-0x000000000052A000-memory.dmp
memory/1712-8-0x00000000023B0000-0x0000000002406000-memory.dmp
memory/1712-10-0x0000000000A70000-0x0000000000A78000-memory.dmp
memory/1712-9-0x0000000000A60000-0x0000000000A6C000-memory.dmp
memory/1712-12-0x0000000000B00000-0x0000000000B12000-memory.dmp
memory/1712-13-0x0000000000B10000-0x0000000000B1C000-memory.dmp
memory/1712-16-0x000000001A9B0000-0x000000001A9B8000-memory.dmp
memory/1712-17-0x000000001ADD0000-0x000000001ADDC000-memory.dmp
memory/1712-15-0x000000001A9A0000-0x000000001A9AE000-memory.dmp
memory/1712-14-0x000000001A990000-0x000000001A99A000-memory.dmp
memory/1712-18-0x000000001ADE0000-0x000000001ADEC000-memory.dmp
C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe
| MD5 | 192f0f1221e376146e725a4d23ee69a0 |
| SHA1 | 9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff |
| SHA256 | 019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d |
| SHA512 | daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54 |
C:\Program Files (x86)\Google\CrashReports\winlogon.exe
| MD5 | 9cb7fbe5f1b87bad3ca1337d1e37b4b7 |
| SHA1 | df5d3354faba2c8e5c071114c12db899eed42916 |
| SHA256 | 5fd1991a0955b2bd39ea13283b3d2af42f55fdad3a01983d3152a443a2797fbf |
| SHA512 | b930c4d8ced639e8abf1431fdc472a5578ef12fef5aa0655e53d0a91d4cdb4adcdf4ac409f68c5a2844b96349dd2cb80ccddc8f35cc570b67c2bb53ec8c49d6e |
C:\Users\Public\Favorites\wininit.exe
| MD5 | 7250e8f37879c317955a66be6a84494d |
| SHA1 | 6390dc1cd0823a2fe008c16cfee0657f1b5009ff |
| SHA256 | 45fe19263445901da1c8f25822442e155fc571ed287f0d58d6791aabb4b40546 |
| SHA512 | ba64474733a15b6ec29e9728281257aa54051a46cf7a71a04e0c52761056faccaac7da4c0f63b7ae161587ec5a96a807d259784a076e39e9bdd6a004d4b49413 |
C:\Program Files\Windows Portable Devices\csrss.exe
| MD5 | 6adc7438bacfd0b487b70b32d9d61129 |
| SHA1 | 62407c0e86ac037c7e20cbb01044b6f4f39099fd |
| SHA256 | cb4ecf850565228ac3a5e9c481558228c7eecb8bee6949b10c06fd9170d9d739 |
| SHA512 | 60a20f70b273da351b42083034d59ff9437849cb36371bd869448a1e0a90588a180a43cfe9fbc642c95fa3b4f866966d0ecd635d6d3722583ff7f8ce984d4d32 |
C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe
| MD5 | 3c5a8fb0efa0383426f86a52226ec298 |
| SHA1 | ed126bfde67434f35faf9c68a4aed275ab7dd450 |
| SHA256 | 02be0d6a338743310baa7e991f33a636bb3f2ad9556ccd348203a2470d52bb49 |
| SHA512 | 696f03e29e8aa7df070bdee594e65f729cb96fa9a3b4e7da1d34b4f9c80c7bc21e33f334ff2cff5af284ae9537a60b121a1ee46050179a51e87c3800f2fb094c |
memory/1712-174-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp
memory/1712-199-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
C:\Users\Default\Documents\spoolsv.exe
| MD5 | bff0cebd6b7da74a3c67902ac6e8f49e |
| SHA1 | c76d32fc318ca883b5ac44de6d3b692d4faab86a |
| SHA256 | dbd3675696fb0d87fb51ee41122afcd7fb00a723543ff32133bea4d51dfbf7fc |
| SHA512 | bd24b0bcdd5edf6785e061cd5ab7678bd151c1274500502cce5da43296fd0937802286330c69964684a8e4b479b6b745a5fc4a715236ea8f0223dc35304d5572 |
C:\Users\Default\Saved Games\OSPPSVC.exe
| MD5 | 11045deafaf02537620e3f5a39a7487d |
| SHA1 | 6348b067d2c135c4008c4b6cea21cd8a5d93d33b |
| SHA256 | 5a72aaddd31152462f2965fe4b1f434a1cb6a665c2b0cc681eb44e67de74ff87 |
| SHA512 | c7a588ebe10be7a61ca0f84e1f6970c47237793b2ec63752416ac242b00f850f7ce4198f89276614e3405eb9d3a7b070ab023f9a8cdf216c7a7cfffb7af41db9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 55326309b9fbc46af6d66e32f6057a7c |
| SHA1 | 4d7e130f0c5a1d049bb8a2c95e1a15d40bdec761 |
| SHA256 | 9df3a85659ea298b646825000dd9ee6105aa7915236fd5d3e3cc5b83362583ca |
| SHA512 | 1df86c638a69ce2ae256e80055c01c38dd61eb313dd87111cb6b728014fe030653653ab2c6ed4d86498bc53021b4ae207458f8249cb1903b76060bb0d25046af |
memory/768-280-0x0000000000370000-0x000000000055A000-memory.dmp
memory/2392-306-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/1148-301-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/1712-362-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0d7f4857-fd77-4ebf-9743-a7ce76ad4959.vbs
| MD5 | 0d9197ae2d6d2ee9cc6c414e8b728ddb |
| SHA1 | f970d3ad51c59f23829ab6bf1445f259d466c80d |
| SHA256 | 7423a09c27b52eea481d6d941ed24a45e847124a918216b2446e36be3319f244 |
| SHA512 | 448f90adfa7b77c7d133c8279166e83e57d7f77dde4477a557c6fd211ff7076a01e443584fc37640a2db14f7d107b78d4bf670685d0c587536cb317bfc6997ad |
C:\Users\Admin\AppData\Local\Temp\367d32be-5bd8-432d-8a4b-cf462ccb5190.vbs
| MD5 | 93f4774599b410a638abacbe153d60af |
| SHA1 | 6de2a33667c0256aecd563a0654100a79dc5346f |
| SHA256 | 0d3f487d8ad8febb266dfc8d7c8d3c94409144b0d9246d710f56c0dd378c320b |
| SHA512 | 3e329d4dd005e4d58d7f8485f760310bf67d083b1a0a79ee95b89e2c47b59b33744d0b477d7a6966216b8ef67728e8d037d0e18c5ac0a1bc89b620d9db032d3f |
memory/912-383-0x0000000000220000-0x000000000040A000-memory.dmp
memory/912-384-0x0000000000650000-0x0000000000662000-memory.dmp
memory/1360-395-0x0000000000B30000-0x0000000000D1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3aa97c8d-c938-4752-be83-cf16ba904cd5.vbs
| MD5 | 6b06e4e01885f01958162b9039f754e7 |
| SHA1 | 72cd843bcd5b8cd2c9af468b57d07c5773d5ceb4 |
| SHA256 | b0163a41ab3b82f20cc11f2d551caf5cc723bc34f8b8acee75e9da04113a532c |
| SHA512 | 2be77de09f84037b38d940eb0d1d7790b64d85dd8fb56437512fc903a95b6980c0c7aed29922351a7b511ea7dc23500e5edb7c1f65f86e255f7cefebb16bb8dc |
memory/2916-407-0x0000000001000000-0x00000000011EA000-memory.dmp
memory/2916-408-0x0000000000550000-0x0000000000562000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\960df572-8523-4233-a5bc-eabd754d9a2c.vbs
| MD5 | 03c42b63fea5450ceaef1ea09ed5f925 |
| SHA1 | 8f07d96e44522bc1562a9276d3275c5a87ce841d |
| SHA256 | 3dae5f8fa563e1ae9d2f68ea63ebf1b17b7d1f5c37c8b904a38f3c6479d96b43 |
| SHA512 | 41f77f7e5c0ceb3680ce5d7a902078e72b7cdaaa41e54c4d5b2fd3ac5b9ca6b3abe00fccfb3b9339c1284c093143234383a6d0fe63c0a088ec3f3b0c45208254 |
memory/832-420-0x00000000004B0000-0x0000000000506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7468d560-5b21-4138-aacd-8df13e67b10f.vbs
| MD5 | 19255de831ad73ccab7ff6b812bd3df1 |
| SHA1 | f3b82561a99cc1910049e1b5c3e88fa4d4505a97 |
| SHA256 | 30dd0b0be876f5a05d7285c9db86f5e47fc8f646171dd873597444bb2ade085b |
| SHA512 | cc548dc0139ddc2ac5cf1a94e6efbb53f594419a7b88a8d88363837924e765545b57bb9cd3c7d6a11dd2c6d288406828e489284460b8acb88b08ee1db96ddfe8 |
C:\Users\Admin\AppData\Local\Temp\0c162ae6-1789-4fc0-b1e4-cebed116dd99.vbs
| MD5 | 81e88db8bee7dc0592a7cf21f8b2185f |
| SHA1 | b8a056472f6ab7051a26e8ce8b60c7a7bf1954f3 |
| SHA256 | 7a22a601dd5a555063b41e1bbed6aefe56d7e5682ddb82b94829d3779e1f1a2a |
| SHA512 | cc12da9c42163ba5bd746aa5b97ed01a6104eb14705e2b3ecb239ba7e964af59c27ec54015d8ac736007c97055d8c4d9210234f43db6a431f572e39325899848 |
memory/2200-443-0x00000000010D0000-0x00000000012BA000-memory.dmp
memory/2200-444-0x0000000000640000-0x0000000000652000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ecdd0072-ac3f-4e19-a57f-4f9c266bab2a.vbs
| MD5 | 83c8c006bbe0cc67031dbc1414bceed5 |
| SHA1 | 08bb71a0f05f67417155722e01106136c82a9efb |
| SHA256 | 267277d3945fbb0f71c74d5b8008bf8716ebd192fffff366d63fc8e4afc3dc22 |
| SHA512 | 4f76ae9a445b66d67c8865f0300f6017bfdcd282f32715e60e9e5f501815290a2ee4b1e319e1fc29520aa8ddd041edcc0b0370d04d4452e2c0cc5c60243ff26f |
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20250207-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe
"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/2352-0-0x000007FEF4FE3000-0x000007FEF4FE4000-memory.dmp
memory/2352-1-0x0000000000AF0000-0x0000000000B30000-memory.dmp
memory/2352-2-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp
memory/1392-7-0x000007FEECEAE000-0x000007FEECEAF000-memory.dmp
memory/1392-8-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/1392-9-0x0000000002230000-0x0000000002238000-memory.dmp
memory/1392-10-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp
memory/1392-11-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp
memory/1392-12-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp
memory/1392-14-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp
memory/1392-13-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp
memory/1392-15-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | be1437ced762af72b3d45f6dac3ae330 |
| SHA1 | 07ccced9fb7c913184d50d7ddcb34f483fc0b46c |
| SHA256 | b79229fc6049235630fa608a8dcbd65c221741aed98094b6787b58213247862f |
| SHA512 | 0836b1f01c44c472e5c4a0b4dfe52e8f92954a58f973ef2a5f22945db47acbb5f250b09db4a333accfa1db712a83b04ca1e1a1f600d778e8d004cfbdf2766928 |
memory/2784-21-0x000000001B5A0000-0x000000001B882000-memory.dmp
memory/2784-22-0x0000000002250000-0x0000000002258000-memory.dmp
memory/2352-29-0x000007FEF4FE3000-0x000007FEF4FE4000-memory.dmp
memory/2352-30-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp
memory/2912-36-0x000000001B7E0000-0x000000001BAC2000-memory.dmp
memory/2352-40-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2340 set thread context of 4796 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 2340 set thread context of 752 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe
"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2592-0-0x0000000074B02000-0x0000000074B03000-memory.dmp
memory/2592-1-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2592-2-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2592-5-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2592-6-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2592-18-0x0000000074B02000-0x0000000074B03000-memory.dmp
memory/2592-19-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2592-20-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2592-21-0x0000000074B00000-0x00000000750B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | c5de36531a3c4a3a1d9098ac862e5214 |
| SHA1 | 648231e5533d7ce188ff90a9c851fd2f22a73930 |
| SHA256 | 20083eeac2dc9fbeadca54a8a1f74c44336baacdd1d7ccb06836ec1946cd9857 |
| SHA512 | 2beb218cac41a38f912858d60398b1597c705942c7aa33f98aff4cdbc1788a5a915eeb543ce775f39d8e5847ba829bb48779431ff6a69b092df445e5492504e5 |
memory/2592-32-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2340-33-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2340-34-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2340-35-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2340-36-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2340-37-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/3952-39-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/3952-40-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/3952-41-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2340-42-0x0000000074B00000-0x00000000750B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log
| MD5 | b3ac9d09e3a47d5fd00c37e075a70ecb |
| SHA1 | ad14e6d0e07b00bd10d77a06d68841b20675680b |
| SHA256 | 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432 |
| SHA512 | 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316 |
memory/752-58-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2340-62-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2340-65-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/3952-66-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/3952-67-0x0000000074B00000-0x00000000750B1000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
106s
Max time network
151s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe
"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
Files
memory/5784-0-0x00007FFB7D563000-0x00007FFB7D565000-memory.dmp
memory/5784-1-0x00000000005F0000-0x00000000007FA000-memory.dmp
memory/5784-2-0x00007FFB7D560000-0x00007FFB7E021000-memory.dmp
memory/5784-3-0x0000000001010000-0x000000000101E000-memory.dmp
memory/5784-4-0x0000000001020000-0x000000000102E000-memory.dmp
memory/5784-6-0x00007FFB7D560000-0x00007FFB7E021000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
64s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
Executes dropped EXE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe
"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv URhMR8YXLU++kEb1nIfiyQ.0.2
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/1632-0-0x00007FFF4DE33000-0x00007FFF4DE35000-memory.dmp
memory/1632-1-0x0000000000910000-0x0000000000966000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | e0918682feb10b28a39a9cfbf4d2d90c |
| SHA1 | c33f8518747e96955387bac3c8299eea24357fe0 |
| SHA256 | 8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01 |
| SHA512 | dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7 |
C:\Users\Admin\AppData\Roaming\Output.exe
| MD5 | 3ac2fbaa37549eb0c50eedbca0da41c2 |
| SHA1 | a486d241a02989d2adbff9785c7c39e68a2934af |
| SHA256 | 815021055de7349aafb51c6788bfd8f1a0f9fc242e842d6b8bf639283a4658fd |
| SHA512 | 76ac7165eba850a34e9dd459c538e1e0ceaee09896e711dabc1272c76a0a79b0826124cec4c43d626b390c222367af55b3de452312e51725f994d218cbe0e7f7 |
memory/5320-23-0x0000000000C90000-0x0000000000CA2000-memory.dmp
memory/4120-26-0x00000000007B0000-0x00000000007F6000-memory.dmp
memory/5320-27-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/4120-30-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp
memory/4120-33-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp
memory/5320-64-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp
memory/5320-93-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp
memory/5320-94-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
164s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 980 set thread context of 4100 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 980 set thread context of 1860 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe
"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/4468-0-0x0000000074892000-0x0000000074893000-memory.dmp
memory/4468-1-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4468-2-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4468-5-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4468-6-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4468-7-0x0000000074892000-0x0000000074893000-memory.dmp
memory/4468-8-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4468-20-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4468-21-0x0000000074890000-0x0000000074E41000-memory.dmp
C:\Users\Admin\AppData\Roaming\app.exe
| MD5 | 2a36c9ca52118eb7a7364b577e156cd5 |
| SHA1 | 83f62a4a8643b9dfd89f6750a1b5e63a9d525b17 |
| SHA256 | 6fa17b9dbde9b2f03975a5b5f44d7d2d4153aed94bebbd2098939a3562dac901 |
| SHA512 | bfbea8459c5135b6b21a2dc5bd149b0f775e4d540f7868252beb4e344e9de6e9040cb791da04186d487d92ef45a890154f80e62ebd16ac828f81ac2f6071732a |
memory/980-33-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4468-32-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/980-34-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/980-35-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/980-36-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/3636-39-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/3636-40-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/3636-38-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/980-41-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/4100-56-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
memory/980-59-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/980-62-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/3636-63-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/3636-64-0x0000000074890000-0x0000000074E41000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240903-en
Max time kernel
121s
Max time network
132s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2968 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2968 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2968 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2968 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe
"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2968-0-0x00000000740CE000-0x00000000740CF000-memory.dmp
memory/2968-1-0x00000000000C0000-0x0000000000416000-memory.dmp
memory/2968-2-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2968-4-0x00000000005E0000-0x00000000005EA000-memory.dmp
memory/2968-3-0x00000000005E0000-0x00000000005EA000-memory.dmp
memory/2196-7-0x000000006C121000-0x000000006C122000-memory.dmp
memory/2196-8-0x000000006C120000-0x000000006C6CB000-memory.dmp
memory/2196-9-0x000000006C120000-0x000000006C6CB000-memory.dmp
memory/2196-10-0x000000006C120000-0x000000006C6CB000-memory.dmp
memory/2196-11-0x000000006C120000-0x000000006C6CB000-memory.dmp
memory/2196-12-0x000000006C120000-0x000000006C6CB000-memory.dmp
memory/2968-14-0x0000000004CC0000-0x0000000004D00000-memory.dmp
memory/2968-13-0x00000000740CE000-0x00000000740CF000-memory.dmp
memory/2968-15-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2968-16-0x0000000004CC0000-0x0000000004D00000-memory.dmp
memory/2968-17-0x00000000005E0000-0x00000000005EA000-memory.dmp
memory/2968-18-0x00000000005E0000-0x00000000005EA000-memory.dmp
memory/2968-19-0x0000000004CC0000-0x0000000004D00000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:12
Platform
win7-20241010-en
Max time kernel
144s
Max time network
162s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2848 set thread context of 2968 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
| PID 2848 set thread context of 1292 | N/A | C:\Users\Admin\AppData\Roaming\app.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\app.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\My.RawFile.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe
"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\app.exe
"C:\Users\Admin\AppData\Roaming\app.exe"
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
Files
memory/2288-0-0x0000000074B31000-0x0000000074B32000-memory.dmp
memory/2288-1-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2288-2-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2288-12-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2288-13-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2288-14-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2288-15-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2288-27-0x0000000074B30000-0x00000000750DB000-memory.dmp
\Users\Admin\AppData\Roaming\app.exe
| MD5 | 97863757bcbb19ac4b85fdee34b532c2 |
| SHA1 | 546673271b915dec79834f35767c7045b5aaf6a2 |
| SHA256 | 05186a0de5bb7938a8b1f81f215abcec797e51d48f92979b1ae5ab57d1683ec6 |
| SHA512 | 419ab1c94e00e5d278d86513d7d47c61b3b7ee7647bf4bad1e9a5baa34c7730f57210dda360ed202de7644e52ac088409592c22f369ce0aad5e624a1d0d9df77 |
memory/2288-34-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2848-35-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2848-36-0x0000000074B30000-0x00000000750DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab213.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27213d35f7b05b4b1bc63b078af737c2 |
| SHA1 | 4563bf2eb797517a31134de93e49160858d9ac4b |
| SHA256 | 3b387eaef710efe6237c7982fcd0ea249875812298f4825d125dcc370a680474 |
| SHA512 | 2c6c2bba83b0f570bba60d577e93c4704c244199c3c92265f47b08aac7d7cc20ba0ac07f57d1a02db2e277a077d6fb493fd0eac7e5f8369f134bb27bc36b9f8f |
memory/2848-45-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2848-46-0x0000000074B30000-0x00000000750DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar1141.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Roaming\My.RawFile.exe
| MD5 | 5a733ef0de5e31e2e4b4abb016c0f251 |
| SHA1 | 28644040a6deac35c20fa931b5d003a97293363e |
| SHA256 | a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7 |
| SHA512 | 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9 |
memory/1292-97-0x0000000000080000-0x0000000000090000-memory.dmp
memory/1292-94-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2848-98-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/1292-90-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2968-79-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2968-78-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2968-77-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2968-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2968-74-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2968-72-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2968-70-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2968-68-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2848-99-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2848-102-0x0000000074B30000-0x00000000750DB000-memory.dmp
memory/2848-103-0x0000000074B30000-0x00000000750DB000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
103s
Max time network
144s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 644 wrote to memory of 4488 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 644 wrote to memory of 4488 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 644 wrote to memory of 4488 | N/A | C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe
"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/644-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp
memory/644-1-0x0000000000A20000-0x0000000000D76000-memory.dmp
memory/644-2-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/644-3-0x00000000057D0000-0x00000000057EC000-memory.dmp
memory/644-4-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/644-5-0x0000000006090000-0x0000000006634000-memory.dmp
memory/4488-6-0x00000000024E0000-0x0000000002516000-memory.dmp
memory/4488-7-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4488-9-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4488-8-0x0000000004C00000-0x0000000005228000-memory.dmp
memory/4488-10-0x0000000005260000-0x0000000005282000-memory.dmp
memory/4488-12-0x00000000054A0000-0x0000000005506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljvetwjo.isr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4488-11-0x0000000005380000-0x00000000053E6000-memory.dmp
memory/4488-23-0x0000000005510000-0x0000000005864000-memory.dmp
memory/4488-22-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4488-24-0x0000000005AC0000-0x0000000005ADE000-memory.dmp
memory/4488-25-0x00000000060D0000-0x000000000611C000-memory.dmp
memory/4488-27-0x000000006D030000-0x000000006D07C000-memory.dmp
memory/4488-28-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4488-40-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4488-39-0x0000000006AE0000-0x0000000006B83000-memory.dmp
memory/4488-41-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4488-38-0x0000000006040000-0x000000000605E000-memory.dmp
memory/4488-26-0x0000000006070000-0x00000000060A2000-memory.dmp
memory/4488-43-0x0000000006DF0000-0x0000000006E0A000-memory.dmp
memory/4488-42-0x0000000007430000-0x0000000007AAA000-memory.dmp
memory/4488-44-0x0000000006E60000-0x0000000006E6A000-memory.dmp
memory/4488-45-0x0000000007070000-0x0000000007106000-memory.dmp
memory/4488-46-0x0000000006FF0000-0x0000000007001000-memory.dmp
memory/4488-47-0x0000000007020000-0x000000000702E000-memory.dmp
memory/4488-48-0x0000000007030000-0x0000000007044000-memory.dmp
memory/4488-49-0x0000000007130000-0x000000000714A000-memory.dmp
memory/4488-50-0x0000000007110000-0x0000000007118000-memory.dmp
memory/4488-53-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/644-54-0x000000000A9B0000-0x000000000A9B8000-memory.dmp
memory/644-57-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/644-56-0x000000000ACF0000-0x000000000ACFE000-memory.dmp
memory/644-55-0x000000000AD20000-0x000000000AD58000-memory.dmp
memory/644-58-0x0000000074BFE000-0x0000000074BFF000-memory.dmp
memory/644-59-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/644-60-0x0000000074BF0000-0x00000000753A0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20241023-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Output.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe
"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
C:\Users\Admin\AppData\Roaming\Output.exe
"C:\Users\Admin\AppData\Roaming\Output.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/1672-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp
memory/1672-1-0x0000000001000000-0x0000000001056000-memory.dmp
C:\Users\Admin\AppData\Roaming\XClient.exe
| MD5 | e0918682feb10b28a39a9cfbf4d2d90c |
| SHA1 | c33f8518747e96955387bac3c8299eea24357fe0 |
| SHA256 | 8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01 |
| SHA512 | dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7 |
memory/2308-11-0x00000000003A0000-0x00000000003B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Output.exe
| MD5 | 3ac2fbaa37549eb0c50eedbca0da41c2 |
| SHA1 | a486d241a02989d2adbff9785c7c39e68a2934af |
| SHA256 | 815021055de7349aafb51c6788bfd8f1a0f9fc242e842d6b8bf639283a4658fd |
| SHA512 | 76ac7165eba850a34e9dd459c538e1e0ceaee09896e711dabc1272c76a0a79b0826124cec4c43d626b390c222367af55b3de452312e51725f994d218cbe0e7f7 |
memory/2304-13-0x0000000000280000-0x00000000002C6000-memory.dmp
memory/2308-17-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/2308-21-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/2308-22-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20250207-en
Max time kernel
126s
Max time network
144s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe
"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp | |
| N/A | 192.168.1.55:4782 | tcp |
Files
memory/1192-0-0x000007FEF5403000-0x000007FEF5404000-memory.dmp
memory/1192-1-0x0000000000E20000-0x0000000001144000-memory.dmp
memory/1192-2-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 35110eedb3518d1905b88025bf11b77d |
| SHA1 | c39e96cc0dcb14065984c3d3fbff331070e37feb |
| SHA256 | 1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd |
| SHA512 | 08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2 |
memory/2520-9-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp
memory/2520-8-0x0000000000270000-0x0000000000594000-memory.dmp
memory/2520-11-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp
memory/1192-10-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp
memory/2520-12-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
128s
Max time network
154s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LiveKernelReports\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File created | C:\Windows\LiveKernelReports\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File created | C:\Windows\LiveKernelReports\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\LiveKernelReports\RCXA072.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\LiveKernelReports\RCXA073.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files\Windows Media Player\it-IT\sppsvc.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/4d7dcf6448637544ea7e961be1ad/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/4fc20efa2b2ad5aa4b35f8fcca90f7df/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e920aaf-2d28-4db8-8c57-20b01a64ccd1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f05bf25-4175-4d9d-a0bc-6d7df99ed6db.vbs"
C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8a4abf-acc7-4fd4-9897-c468b0519d40.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f02882-59c6-4905-9be8-1a5fbbfa042c.vbs"
C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73264ea4-08f2-4f30-981c-2a72705d32c6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bb12026-5f72-4af6-8d4d-edc895fd7efe.vbs"
C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d288c75-a642-4201-bac7-d8299702582b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a265beb2-ff6d-4517-8be1-d0689a132954.vbs"
C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | a0889572.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| NL | 4.175.87.197:443 | tcp | |
| NL | 4.175.87.197:443 | tcp | |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
Files
memory/1848-0-0x00007FF91ECC3000-0x00007FF91ECC5000-memory.dmp
memory/1848-1-0x00000000000B0000-0x00000000009A8000-memory.dmp
memory/1848-2-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/1848-3-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp
memory/1848-4-0x0000000002A30000-0x0000000002A3E000-memory.dmp
memory/1848-5-0x0000000002A40000-0x0000000002A4E000-memory.dmp
memory/1848-13-0x000000001CF80000-0x000000001CF92000-memory.dmp
memory/1848-16-0x000000001CF90000-0x000000001CFA0000-memory.dmp
memory/1848-15-0x000000001CE10000-0x000000001CE18000-memory.dmp
memory/1848-17-0x000000001CFA0000-0x000000001CFAA000-memory.dmp
memory/1848-18-0x000000001CFB0000-0x000000001D006000-memory.dmp
memory/1848-21-0x000000001D020000-0x000000001D02C000-memory.dmp
memory/1848-24-0x000000001D040000-0x000000001D052000-memory.dmp
memory/1848-26-0x000000001D070000-0x000000001D07C000-memory.dmp
memory/1848-29-0x000000001D0A0000-0x000000001D0AC000-memory.dmp
memory/1848-30-0x000000001D0B0000-0x000000001D0BC000-memory.dmp
memory/1848-36-0x000000001D2F0000-0x000000001D2FE000-memory.dmp
memory/1848-40-0x000000001D340000-0x000000001D34A000-memory.dmp
memory/1848-41-0x000000001D360000-0x000000001D36C000-memory.dmp
memory/1848-39-0x000000001D320000-0x000000001D328000-memory.dmp
memory/1848-38-0x000000001D310000-0x000000001D31C000-memory.dmp
memory/1848-37-0x000000001D300000-0x000000001D308000-memory.dmp
C:\4d7dcf6448637544ea7e961be1ad\upfc.exe
| MD5 | 518e21ada29ef9b6dcfa8710b76ef169 |
| SHA1 | 613c59e1ed18c8a50df59a5d7496cc74b3a36d2f |
| SHA256 | 2525437093b8cea2cf0081eb98d9286dc198973a004d9ffa2d721a8873ce0b5d |
| SHA512 | d1f13c1e9317d20b14ab1434ca1fcf9bbc93d95ba24dfe744fec14cdbd60f324bdc8fdb6eefe1bb7b9df3c119eab58a7b249d71bfea8c19b70cad94acaf93f57 |
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe
| MD5 | 5d8505501b7faa4c7e541b0a32467a58 |
| SHA1 | ed0b9de10c38774af49d9279e25a8958817f33a7 |
| SHA256 | 1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca |
| SHA512 | a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9 |
memory/1848-35-0x000000001D2E0000-0x000000001D2E8000-memory.dmp
memory/1848-34-0x000000001D2D0000-0x000000001D2DE000-memory.dmp
memory/1848-33-0x000000001D2C0000-0x000000001D2CA000-memory.dmp
memory/1848-32-0x000000001D350000-0x000000001D35C000-memory.dmp
memory/1848-31-0x000000001D330000-0x000000001D338000-memory.dmp
memory/1848-28-0x000000001D090000-0x000000001D098000-memory.dmp
memory/1848-27-0x000000001D080000-0x000000001D08C000-memory.dmp
memory/1848-25-0x000000001D5A0000-0x000000001DAC8000-memory.dmp
memory/1848-22-0x000000001D030000-0x000000001D038000-memory.dmp
memory/1848-20-0x000000001D010000-0x000000001D018000-memory.dmp
memory/1848-19-0x000000001D000000-0x000000001D00C000-memory.dmp
memory/1848-14-0x000000001CE20000-0x000000001CE2C000-memory.dmp
memory/1848-12-0x000000001CE00000-0x000000001CE08000-memory.dmp
memory/1848-11-0x000000001CDE0000-0x000000001CDF6000-memory.dmp
memory/1848-10-0x000000001B610000-0x000000001B620000-memory.dmp
memory/1848-9-0x000000001B5F0000-0x000000001B5F8000-memory.dmp
memory/1848-8-0x000000001CE30000-0x000000001CE80000-memory.dmp
memory/1848-7-0x000000001B5D0000-0x000000001B5EC000-memory.dmp
memory/1848-6-0x000000001B5C0000-0x000000001B5C8000-memory.dmp
C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
| MD5 | 3aee48e5bac720b0806f714256fef029 |
| SHA1 | 89afdba09b16adcfec9279bcf65dbe94396e3a01 |
| SHA256 | a670ea7da08b60c94f7e9f70d850514e2a2cdfbdc187276a1f6a78f86763fcf3 |
| SHA512 | 1cccb4b1fbae5366d3b1023bbe4685a800c67380b2057dec7e459d11054b0a5701b705cea088f4a66750ec734baa9365795b3994a8da27d9e36bf3ea27735377 |
memory/1848-188-0x00007FF91ECC3000-0x00007FF91ECC5000-memory.dmp
memory/1848-212-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp
C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe
| MD5 | 2510e74d6604e16f5eb602abbe3ec2f3 |
| SHA1 | 85322b8268e420cf92511c74c4cda6c30a49cc5c |
| SHA256 | 10040b110aee3f822ebe61d6438dd44e31ee928e3a04d5cc7247c4cfbdd08f07 |
| SHA512 | 1c1583940210f54fbe05b4d33f9519fadd47200bec775cec88a9e04af4d692a061be7bb9b2a6f02c8a914bfa68a3c080958a1ba31b0045fdac0ab69ccf1dc5a7 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyrohzq0.b5e.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1772-301-0x000001F7251F0000-0x000001F725212000-memory.dmp
memory/1848-425-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 82da496008a09abc336bf9adbe6453dd |
| SHA1 | a57df6c2432c6bf7ab549a4333e636f9d9dfebd2 |
| SHA256 | 69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810 |
| SHA512 | 86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3c9a06205efb4ec6b1ca25ba605f9f6d |
| SHA1 | 53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8 |
| SHA256 | 4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a |
| SHA512 | e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3fe089fecc1a7897c40a12707d788ca9 |
| SHA1 | 97f8ab9020333729ec191b3dbd044c57227b84fc |
| SHA256 | 70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c |
| SHA512 | 4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7cd541695b3cebb31ad4b3e131bfb4d5 |
| SHA1 | 16d8085de66ff920f6028c282afb3183bed8865a |
| SHA256 | dc0ae36677b455e1b5c66859b5b2cac1b3a29aabd281f52ac682cc4b99b84fe3 |
| SHA512 | f90fa2d9c231a0a00579deafce7b74c2f043485d560c4377c2591a37dad4c79638b30025adb896107a3cb9b5f21f24289f1fe1f3bb73dcd16e346ab95b7bd56f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd95e4475b8798a58a9e9d19409c1eac |
| SHA1 | 571d070dd6315847c4ba334670beffd245a35c45 |
| SHA256 | d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729 |
| SHA512 | 1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9ec1de5af22ee94e2a00a91da98957bd |
| SHA1 | 0ade5098be757a47adb6d5d0dbf576bcf41d6253 |
| SHA256 | 540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76 |
| SHA512 | 8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 750e4be22a6fdadd7778a388198a9ee3 |
| SHA1 | 8feb2054d8a3767833dd972535df54f0c3ab6648 |
| SHA256 | 26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1 |
| SHA512 | b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2044ef36c414ed6e6c991e5fbe7d5bf1 |
| SHA1 | 0dbd4be869af1290a771fa295db969dc14b2a1fc |
| SHA256 | 1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6 |
| SHA512 | 304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32 |
C:\Users\Admin\AppData\Local\Temp\4f05bf25-4175-4d9d-a0bc-6d7df99ed6db.vbs
| MD5 | dcbc79a4588cd89330cc36d040f6c9af |
| SHA1 | f05ddbed99b87e8594b839c40975480850fafe8a |
| SHA256 | 3e5a0baca9290c80c3c485c38a88f210345f123256909e9c6d9208e26d666163 |
| SHA512 | 30b5ae2b1db63d99e07de4a2a1f9f45861207a00254347cc0c5a115edafe3c1796f47b1eff004ac3f9c49531233b99a5c95445d24cd851e906d0a4e76290b9f0 |
C:\Users\Admin\AppData\Local\Temp\6e920aaf-2d28-4db8-8c57-20b01a64ccd1.vbs
| MD5 | 197c6140b55931d6be1f67211634df79 |
| SHA1 | 1173948c21a0cac43e3f903e0c3915bd52d4feb5 |
| SHA256 | 91067df273f0921deca2c478f14c95eb647dac0995d3822dd48b30f10cff3ccf |
| SHA512 | 2c8c41934eed43dfb134ec71cad8027d8157c71ae13e61ba63c0508995536135861bf724867d912b14a2742edee50ccef33db815a947efa96f3638c382c927da |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log
| MD5 | 229da4b4256a6a948830de7ee5f9b298 |
| SHA1 | 8118b8ddc115689ca9dc2fe8c244350333c5ba8b |
| SHA256 | 3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11 |
| SHA512 | 3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224 |
C:\Users\Admin\AppData\Local\Temp\7b8a4abf-acc7-4fd4-9897-c468b0519d40.vbs
| MD5 | 03a6bb911504abf0eb13554c3e264e2d |
| SHA1 | e67a07eb09667099f037c003337dd5361cbc4380 |
| SHA256 | 63f5c3fce4135308bb3339c6aeaaacacd0dc83328618cacd67445c95af3acf64 |
| SHA512 | a4e712684fa4901516e1a8111aa92148376e1a19800ca8089bfc1e93700cd160b0652e61d99cf40720a2ed968a5933a690b36718497fb82625f2fe4646659f55 |
memory/1608-479-0x000000001BDE0000-0x000000001BDF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\73264ea4-08f2-4f30-981c-2a72705d32c6.vbs
| MD5 | 6e58ec49de3166bf3b933a9eb67fe100 |
| SHA1 | 881812fde1d30c561cbc1e5ba5b21008712ac4be |
| SHA256 | c6c87ffb295dd04d2b34d1ee127f19aaed607c48d5791a984ae89014e4eb18ba |
| SHA512 | 3d043b6981e0142c9ea8c589ef74ff001b5eba402ab220b4b43ac3223d3cb97ccee67497be5ca57472e092043b27962bf1c7bdfc1da13e83ef9097d79616f6de |
memory/6128-492-0x000000001B6C0000-0x000000001B6D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6d288c75-a642-4201-bac7-d8299702582b.vbs
| MD5 | 4545d8505c580f7aeccc4f2b5c946f66 |
| SHA1 | 7d990b1e419ad8a53b82c8791a29914f745288e0 |
| SHA256 | b4ab2470e506cd7afccd50846b9109d23dc1cce3ba483fb55ea12540bb905c58 |
| SHA512 | f0c5531ae967755114a706670862348ca2685c310289f17594cffe7203484f961ad9a258e190d6b340076fdc90dc4a0dbf4f52430bb8c760e6df601d5982bc25 |
C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
| MD5 | 6d8c32b1ff296b5d9173cb53bc91ff7e |
| SHA1 | 068c277b4593782dec08c219a8717b456efa0d64 |
| SHA256 | e5a9ccb7b29dbc011ac5c74216f97e9dd0ec58e001f668998480562800beaea5 |
| SHA512 | e4c2fe5be5b747d056858aeef26ace2db9ba45ebbd6db23d226e82a040ac4e41676c33880d16ed8112960b0024b552562581cde9a6e86b3c02f1ddf738a1abd1 |
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
104s
Max time network
157s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe
"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/1752-1-0x00000230A63F0000-0x00000230A6430000-memory.dmp
memory/1752-0-0x00007FFA84013000-0x00007FFA84015000-memory.dmp
memory/1752-2-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp
memory/1444-3-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp
memory/1444-13-0x00000214DC900000-0x00000214DC922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2nes3nn.nxw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1444-14-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp
memory/1444-15-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp
memory/1444-18-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | efa4168b73a5e8ae56d49bcac4d67861 |
| SHA1 | b3fe6b2d9fc05ad7892a2c8b96914764336b3067 |
| SHA256 | 7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca |
| SHA512 | a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99 |
memory/1752-32-0x00000230C0D20000-0x00000230C0D96000-memory.dmp
memory/1752-31-0x00000230A6A80000-0x00000230A6AD0000-memory.dmp
memory/1752-33-0x00000230A6A50000-0x00000230A6A6E000-memory.dmp
memory/1752-41-0x00000230C0900000-0x00000230C0912000-memory.dmp
memory/1752-40-0x00000230A6AD0000-0x00000230A6ADA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74a6b79d36b4aae8b027a218bc6e1af7 |
| SHA1 | 0350e46c1df6934903c4820a00b0bc4721779e5f |
| SHA256 | 60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04 |
| SHA512 | 60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0 |
memory/1752-55-0x00007FFA84013000-0x00007FFA84015000-memory.dmp
memory/1752-56-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp
memory/1752-57-0x00000230C09D0000-0x00000230C0AD2000-memory.dmp
memory/1752-60-0x00000230C09D0000-0x00000230C0AD2000-memory.dmp
memory/1752-61-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe
"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"
Network
Files
memory/2204-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp
memory/2204-1-0x0000000001260000-0x000000000146A000-memory.dmp
memory/2204-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/2204-3-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2204-4-0x0000000000420000-0x000000000042E000-memory.dmp
memory/2204-5-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:12
Platform
win7-20241010-en
Max time kernel
154s
Max time network
165s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a9cd1714a3e518cfd51f84f1be819bf.exe" | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1248 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe
"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 23.192.18.101:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
Files
memory/1068-0-0x0000000074591000-0x0000000074592000-memory.dmp
memory/1068-1-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/1068-2-0x0000000074590000-0x0000000074B3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6376.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar6398.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1068-27-0x0000000074590000-0x0000000074B3B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar7638.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99ae410abb902ccc96f9e9207afe5f85 |
| SHA1 | 84f2ae1a979dd51f614b666d1e0ce7856e188ce4 |
| SHA256 | 93d5db439677c5712357d91d72e494167fc447015d937fa26d0746157ff7ba30 |
| SHA512 | f775d36cf8bb44f183d0ab8a300a427973cd180e33f7c144a13ab76d846b1024c005e9f3fa61e789ae2f33e3236f840d466e7b7dd60bd5ee47dd3b4071a3beb1 |
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 934c06a6c53a006b0d3ca9c7d3ac3ecf |
| SHA1 | 23c4fb0d070ba1100669b88cf1b5acdbb6d01de7 |
| SHA256 | 99e28f01a0b7f46bc7e2009cae50076243314e2f24d9605bce5084a24055a9ba |
| SHA512 | a464e9a55c81a231d5a89f85d04a326358c6f7c995b26edea73c6a4bd65b6b995e686e8da12c6585736af70e52e32cfafc0ca5c5b8391d464987d4620917d07d |
memory/1068-194-0x0000000074590000-0x0000000074B3B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
| MD5 | 3b5e0bd6640456a749d9155e6c135727 |
| SHA1 | 7d985e42e7df8cac3cf7ec917df10b9fbef09a21 |
| SHA256 | c362a3d2b661c6066a02fc169faaa1976c2f6160da5837c7e68b7e0f67b794ed |
| SHA512 | b1b669bad519dccab5224c8fcdb13bb2b015e22fd30ba57e92c9cde4480e655f19f0bbb862db5fd87828d2a3ab74c4a6090f36b6358f9eefe5c82e024afe4a3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
| MD5 | 1ea27366e034eb9447a33ce639c01489 |
| SHA1 | d12ed3e7e60c65ce90f0a58b9b9e47292caed923 |
| SHA256 | 788d210ef206a4d11b6b506bf52124ee03fca4e8a9389fad43772202a7e29452 |
| SHA512 | e06f7443f0f7ca5db4411aa0718102c08068e95ec305b6b53c0b42a941a877de39f95c7e7514e69316b41a7ac19eaa6ccddc581fe475bdb842ec920691726e49 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
| MD5 | f2f1c636dbc689355839f18c6906a8de |
| SHA1 | edb68abcac18b4ba1889e2c5034763ecf4eeaba4 |
| SHA256 | 5faf6f41e206396f1fc7ae233fbce325072ff53669183cdc3978e7550dbd772e |
| SHA512 | 5081daa24cdeec5d0f239cbe40ee7aacd1cd0fafb39aa6b278c179e6ee64f1babde8b1be2b588078ba9261f0cc359b4779fd64f01ddb8d98ec2c2abb7346e844 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
| MD5 | ce6e373f789785f9bcf0117b43acfab9 |
| SHA1 | 41cf4d6f84850c1daecf01b885e3b8a805714dc8 |
| SHA256 | 1e268eb9162d27a500cd58404fbc33c04a299d5d1ea6e8d7b419472b9127ee26 |
| SHA512 | 91e0e3becaa36336cde36f6d66079aa7925e984b5b8b70be8bae9259f6439238da5474dbc6f9fe14360aec502e7553b3b5e99bbefafb841d8fc9c97748fb528f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc5d75b2548d4461b99aba29aaed2ac5 |
| SHA1 | c6f69117ed88fdc9c1a1c3d17ee2ef2cf40dd905 |
| SHA256 | 5780c686ece37e97e137976fa63af25cfaf21dc596f6a1d5fbd62151eef6720c |
| SHA512 | 5bd34fbc2a2d1c19ba0c5baeb4ae636057d38e87912c167507a31eaad6a57f16dd62971bab7d90b797356d26047cdc91dc2c15e95edf49a66e6d644568ccf956 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8cd148597f9cddd123d42b1b1acffa5 |
| SHA1 | 3c56759b1d49a5b50c4c35aaf04f1afb24a2e2b3 |
| SHA256 | 2d66fb9d3dd192aa1db06fd6ed41e4e61b5129d8f99ebd83eab9ce53b45d929c |
| SHA512 | b36927a99fb6bd0d6691cc46a2201f58987e147d402e3c345de8ed1e8905c11561413f04eb840c4c7b52c707f4e52ab914823be4d7596b2a94a9149b0bf1e50d |
memory/2820-366-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2820-365-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2820-363-0x0000000000400000-0x000000000040C000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
110s
Max time network
131s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5160 wrote to memory of 5868 | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 5160 wrote to memory of 5868 | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | C:\Windows\System32\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe
"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5160-0-0x00007FFD2C7F3000-0x00007FFD2C7F5000-memory.dmp
memory/5160-1-0x000002AD14930000-0x000002AD14970000-memory.dmp
memory/5160-2-0x00007FFD2C7F0000-0x00007FFD2D2B1000-memory.dmp
memory/5160-4-0x00007FFD2C7F0000-0x00007FFD2D2B1000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240729-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\LogFiles\AIT\RCXDFDA.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\System32\LogFiles\AIT\RCXDFEB.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File created | C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File created | C:\Windows\System32\LogFiles\AIT\1610b97d3ab4a7 | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\101b941d020240 | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDDB6.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDDC7.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File created | C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\RCXDB82.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| File opened for modification | C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\RCXDB93.tmp | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74123978-7af5-4e83-b54f-7598187cd117.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\837d2091-babc-439f-bac8-c244cf353bb2.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\701fdcff-39ed-4937-b20b-f144a96e339d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac3bc1b8-82f6-4006-af92-ad65c18cf17c.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f924f5-ddfa-4ac6-b21f-cfa0976d6ab8.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\000b1f31-6489-410a-81a3-dea3ba1b618c.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15a77a32-d2ee-42c9-9229-56f5a29bfc5f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5ad544e-176e-4f7e-b20d-a2f1d3a09965.vbs"
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02460290-6983-4422-8cd2-37c14db1ca5b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\373353a3-408c-4e25-84ad-f9783ac1fc3f.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0889572.xsph.ru | udp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
| RU | 141.8.197.42:80 | a0889572.xsph.ru | tcp |
Files
memory/2124-0-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp
memory/2124-1-0x00000000011E0000-0x0000000001AD8000-memory.dmp
memory/2124-2-0x0000000000440000-0x0000000000441000-memory.dmp
memory/2124-3-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp
memory/2124-4-0x0000000000460000-0x000000000046E000-memory.dmp
memory/2124-5-0x0000000000470000-0x000000000047E000-memory.dmp
memory/2124-8-0x0000000000490000-0x0000000000498000-memory.dmp
memory/2124-7-0x0000000000520000-0x000000000053C000-memory.dmp
memory/2124-9-0x0000000000540000-0x0000000000550000-memory.dmp
memory/2124-12-0x0000000000B30000-0x0000000000B42000-memory.dmp
memory/2124-11-0x0000000000B10000-0x0000000000B18000-memory.dmp
memory/2124-10-0x0000000000550000-0x0000000000566000-memory.dmp
memory/2124-13-0x0000000000B50000-0x0000000000B5C000-memory.dmp
memory/2124-15-0x0000000000B40000-0x0000000000B50000-memory.dmp
memory/2124-14-0x0000000000B20000-0x0000000000B28000-memory.dmp
memory/2124-6-0x0000000000480000-0x0000000000488000-memory.dmp
memory/2124-16-0x0000000000B60000-0x0000000000B6A000-memory.dmp
memory/2124-17-0x0000000000B70000-0x0000000000BC6000-memory.dmp
memory/2124-20-0x0000000000C60000-0x0000000000C6C000-memory.dmp
memory/2124-23-0x0000000000C80000-0x0000000000C92000-memory.dmp
memory/2124-21-0x0000000000C70000-0x0000000000C78000-memory.dmp
memory/2124-19-0x0000000000C50000-0x0000000000C58000-memory.dmp
memory/2124-24-0x0000000000CB0000-0x0000000000CBC000-memory.dmp
memory/2124-18-0x0000000000BC0000-0x0000000000BCC000-memory.dmp
memory/2124-27-0x0000000000CE0000-0x0000000000CEC000-memory.dmp
memory/2124-29-0x0000000000D00000-0x0000000000D08000-memory.dmp
memory/2124-30-0x000000001AFF0000-0x000000001AFFC000-memory.dmp
memory/2124-28-0x0000000000CF0000-0x0000000000CFC000-memory.dmp
memory/2124-34-0x00000000011C0000-0x00000000011CE000-memory.dmp
memory/2124-33-0x00000000011B0000-0x00000000011B8000-memory.dmp
memory/2124-39-0x000000001B400000-0x000000001B40C000-memory.dmp
memory/2124-38-0x000000001B020000-0x000000001B02A000-memory.dmp
memory/2124-37-0x000000001B010000-0x000000001B018000-memory.dmp
memory/2124-36-0x000000001B000000-0x000000001B00C000-memory.dmp
memory/2124-35-0x00000000011D0000-0x00000000011D8000-memory.dmp
memory/2124-32-0x00000000011A0000-0x00000000011AE000-memory.dmp
memory/2124-31-0x0000000001190000-0x000000000119A000-memory.dmp
memory/2124-26-0x0000000000CD0000-0x0000000000CD8000-memory.dmp
memory/2124-25-0x0000000000CC0000-0x0000000000CCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RCXD95F.tmp
| MD5 | 5d8505501b7faa4c7e541b0a32467a58 |
| SHA1 | ed0b9de10c38774af49d9279e25a8958817f33a7 |
| SHA256 | 1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca |
| SHA512 | a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 7058a27c3ca227c416ab095df0827719 |
| SHA1 | ab0000c5a59ffda7cfc2fe44df51b0c4be102b1a |
| SHA256 | 24ebad3674fd7a297324917081dbbe9a54aad659ef470f920d6cf63a11411e13 |
| SHA512 | 293c98de66f862c7232db5ce0efcdb9a2e5c6556813ea1e94a7b33c8e38f75146fe80ba98fa2270b08e06faaba44d067961313011243420921851aeb26cd40c5 |
memory/2300-121-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/1828-138-0x0000000001330000-0x0000000001C28000-memory.dmp
memory/2008-136-0x00000000028E0000-0x00000000028E8000-memory.dmp
memory/2124-139-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\837d2091-babc-439f-bac8-c244cf353bb2.vbs
| MD5 | 9b4aec1e6db2351915b67e34d4166584 |
| SHA1 | e65be07846c7638912e6a8f1fc6eb418f9c7353f |
| SHA256 | 1069c6c5fbcfe1fb22dd7cd913314fd6e12bf086a1b5a04fe9aada89729b5c05 |
| SHA512 | 420485e8f19cbc3437371cba52acd6b965f9974905a696ba601c0ba86be176f0ae47fee76c250c13679204bdb85e0ee0b575ae6423278b0ff181d82ec573bf65 |
C:\Users\Admin\AppData\Local\Temp\74123978-7af5-4e83-b54f-7598187cd117.vbs
| MD5 | 6a5183b0184e3f3a699c647ba2c0bbef |
| SHA1 | c6d453b8bdbc9e6f590ca932b42aff4bac33a4e7 |
| SHA256 | 10dd2dbae0f415178d5f425302172cb89fe7cbd4248fa34a184a7aead9d890ee |
| SHA512 | 5778f5d8ca0f8e25a4fba9712687506a3a770c31c692ed186992d82883aa7ec9904e3f6f1098de2a4bd8d5342fbb2ff44c735650f715ff2da6eca86029d7d85f |
memory/1804-166-0x0000000001220000-0x0000000001276000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\701fdcff-39ed-4937-b20b-f144a96e339d.vbs
| MD5 | 61c213c910399afd52d8e43f4b202ec5 |
| SHA1 | 26ffd26405b47111ca48f6a44cf6fbc97ad6a770 |
| SHA256 | b76aae388ae995d8068857d7e94a35a209981acfc5d3264506131248e5e55c21 |
| SHA512 | 693bdd1b2661fbb856ab09921d5fcb0308b12af1dcad5ac218d7ae13d5f01bd8e2e037929872e6f8665add941ca2723fa04314c18507decca8290369c1676b82 |
memory/2696-179-0x000000001B4A0000-0x000000001B4F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\80f924f5-ddfa-4ac6-b21f-cfa0976d6ab8.vbs
| MD5 | 7f06bd0ac17e5a8103701b8395982932 |
| SHA1 | 43897cebb416cb0bf7176b7a2d21971366308764 |
| SHA256 | f50b25d551e6f9defe4650d8ab5398494926910a415b8044386ab3e6d9f2ba6f |
| SHA512 | 5959b9a6f61eb0ab50ec67c71799d8ed3e33da23628e54b1bba40f4fe831ea9f077e81c99b0cbd72093caf5d05954a027bef55781c7d1819f924358294ae0f01 |
C:\Users\Admin\AppData\Local\Temp\15a77a32-d2ee-42c9-9229-56f5a29bfc5f.vbs
| MD5 | 9fd5a289cbb45bd2aee9fd6952bb20dd |
| SHA1 | c74466133c0c6492bce6e1f33783a665461e3e2b |
| SHA256 | 55c84b1d439937e3896b25fba6db9faccd0b6647688b38e9dbbe6911b05e882f |
| SHA512 | 0f2606099305020f7505ef8640665842ff24e3aba6102d2ee2a605e5ae6bf35db983347f493a94127242b0ad095185e5742c5e8271ed9da50f19b16ed99ef1fb |
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
| MD5 | 7f21be9ce89cbb8cb81f0008a24802ee |
| SHA1 | 6628cc6ce841bcfcc5d5e87284d22196d15e0490 |
| SHA256 | 3ad53bdfffb31bbe733c2a9866c60f0a20d2edb5845743d576e1a4b4c0b1b441 |
| SHA512 | a285c892fe313478c34b08ed5ae3ede070ae6e5c2e2d4e7c8319a58b5a804ce401d31f5a28e3d55c4ffa421bd94d0c5668eacc5052bb79a6c935654ef105995f |
memory/2416-204-0x0000000000C30000-0x0000000000C86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6dde813ff7286e8839024e617617a509c69bce29.exe
| MD5 | f541550e30e6948fa06af288942aad20 |
| SHA1 | c1ecea8fbeb749e72c2a6200ec55efd8896c96a1 |
| SHA256 | 8c898fe79f90a997df501ee29f4c711a29552ec7effbc2b693b8f32246209d9d |
| SHA512 | 6f7756804daf1c7af49ba3e303eb34e6dee38f34b0605090fd97ac7366608f36d5a2266e3458910650d08e401f9822ac01bbdd41d8dacfaeffb0aeb3d550b9dc |
C:\Users\Admin\AppData\Local\Temp\02460290-6983-4422-8cd2-37c14db1ca5b.vbs
| MD5 | a1bf9b134e6974f40e020caab67148ad |
| SHA1 | 3634201440362fc1cdbf1f0f485efaf42eed81de |
| SHA256 | 4ee43f20b88421e4a131ea67184c2c7e05eb7e1643cac0fa6d8ef0a12a621b6f |
| SHA512 | 16b668b9632196b4c81f3b13fdb55cae2d1e2f5fe944b7caa0f5e31767b0db015254159378d87918a6cd681054f8dcd3d16c6313c20f9d6ca4ade15981121d77 |
Analysis: behavioral25
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240903-en
Max time kernel
119s
Max time network
129s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe
"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"
Network
Files
memory/2172-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp
memory/2172-1-0x0000000000EB0000-0x00000000010BA000-memory.dmp
memory/2172-2-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp
memory/2172-3-0x0000000000550000-0x000000000055E000-memory.dmp
memory/2172-4-0x0000000000560000-0x000000000056E000-memory.dmp
memory/2172-5-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
85s
Max time network
139s
Command Line
Signatures
DcRat
Dcrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe
"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2352-0-0x00007FFF87663000-0x00007FFF87665000-memory.dmp
memory/2352-1-0x0000000000E40000-0x000000000104A000-memory.dmp
memory/2352-2-0x00007FFF87660000-0x00007FFF88121000-memory.dmp
memory/2352-3-0x0000000001910000-0x000000000191E000-memory.dmp
memory/2352-4-0x0000000001920000-0x000000000192E000-memory.dmp
memory/2352-6-0x00007FFF87660000-0x00007FFF88121000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240903-en
Max time kernel
143s
Max time network
155s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe
"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
Files
memory/2388-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp
memory/2388-1-0x00000000013E0000-0x0000000001420000-memory.dmp
memory/2388-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/2388-3-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp
memory/2388-4-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Remcos
Remcos family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4836 set thread context of 5052 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe
"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp | |
| RU | 213.183.58.19:4000 | tcp |
Files
memory/1104-0-0x0000000074D52000-0x0000000074D53000-memory.dmp
memory/1104-1-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/1104-2-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/1104-5-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/1104-6-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/1104-18-0x0000000074D52000-0x0000000074D53000-memory.dmp
memory/1104-19-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/1104-20-0x0000000074D50000-0x0000000075301000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
| MD5 | 3dde06982003b0e533a684df3964d63e |
| SHA1 | 13247f80d6a518716b9f121591d1eeea814fc680 |
| SHA256 | 1e9f626bab720bb552f865e01a7f3b33edb848047fdcf0404d9864c7bc9088bd |
| SHA512 | 3aafe2560ba495366749738aea8e75ee415f50ef69236a2b10086711a214fa68bdc963ffec4d304dd9fc6fd6a1272451023e5862aaa7f7ef13b36242425e10af |
memory/1104-31-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/4836-32-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/4836-33-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/4836-34-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/4836-35-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/5052-39-0x0000000000400000-0x0000000000417000-memory.dmp
memory/5052-46-0x0000000000400000-0x0000000000417000-memory.dmp
memory/4836-47-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/5052-45-0x0000000000400000-0x0000000000417000-memory.dmp
memory/5052-41-0x0000000000400000-0x0000000000417000-memory.dmp
memory/5052-44-0x0000000000400000-0x0000000000417000-memory.dmp
memory/5052-36-0x0000000000400000-0x0000000000417000-memory.dmp
memory/5052-50-0x0000000000400000-0x0000000000417000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
143s
Max time network
161s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Windows\INF\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Windows\INF\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Windows\INF\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Windows\INF\csrss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\INF\csrss.exe | N/A |
| N/A | N/A | C:\Windows\INF\csrss.exe | N/A |
| N/A | N/A | C:\Windows\INF\csrss.exe | N/A |
| N/A | N/A | C:\Windows\INF\csrss.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\INF\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\INF\csrss.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Media Player\fr-FR\eddb19405b7ce1 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\RCX8EA8.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\RCX95D3.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\backgroundTaskHost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\fr-FR\RCX97D8.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXA6E7.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXA6E8.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\6203df4a6bafc7 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX9D59.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX9DC8.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\MsEdgeCrashpad\reports\RCX9FCD.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\edge_BITS_4648_225925476\RCXA2AE.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\edge_BITS_4648_225925476\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\MsEdgeCrashpad\reports\RCX9FCC.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\edge_BITS_4648_225925476\RCXA1E2.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\MsEdgeCrashpad\reports\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\RCX9564.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\fr-FR\RCX97D7.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Common Files\eddb19405b7ce1 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\Common Files\backgroundTaskHost.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\RCX8EA7.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\INF\csrss.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File created | C:\Windows\INF\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Windows\INF\RCX9A5A.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Windows\INF\RCX9AD8.tmp | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| File opened for modification | C:\Windows\INF\csrss.exe | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings | C:\Windows\INF\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings | C:\Windows\INF\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings | C:\Windows\INF\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings | C:\Windows\INF\csrss.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\INF\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe
"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\INF\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\backgroundTaskHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K09nVBHGsQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\INF\csrss.exe
"C:\Windows\INF\csrss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f43129-4b96-4f47-a1b4-cc23f1c103c5.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d13c786d-1d9f-4833-9fef-1ce160009d03.vbs"
C:\Windows\INF\csrss.exe
C:\Windows\INF\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7338981a-3da8-4f45-96a4-acbb0e64d018.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaee8a08-0687-48e3-b567-a6b41338d915.vbs"
C:\Windows\INF\csrss.exe
C:\Windows\INF\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4559ebf-c0b9-4a78-b16f-669dce3f4b5d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc942405-30cd-4116-b9a2-f422d2dcd0d5.vbs"
C:\Windows\INF\csrss.exe
C:\Windows\INF\csrss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306970e6-f5bb-4ff6-b5dc-056434e19e15.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\054d82fa-6662-4337-8b25-d6c6956d07fe.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 46.3.197.86:80 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp | |
| DE | 46.3.197.86:80 | tcp |
Files
memory/1316-0-0x00007FF8ABCC3000-0x00007FF8ABCC5000-memory.dmp
memory/1316-1-0x0000000000AF0000-0x0000000000CDA000-memory.dmp
memory/1316-2-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp
memory/1316-6-0x0000000002E00000-0x0000000002E10000-memory.dmp
memory/1316-5-0x0000000001490000-0x0000000001498000-memory.dmp
memory/1316-7-0x0000000002E40000-0x0000000002E56000-memory.dmp
memory/1316-9-0x0000000002E60000-0x0000000002EB6000-memory.dmp
memory/1316-8-0x0000000002E20000-0x0000000002E2A000-memory.dmp
memory/1316-13-0x000000001B9B0000-0x000000001B9C2000-memory.dmp
memory/1316-11-0x0000000002EC0000-0x0000000002EC8000-memory.dmp
memory/1316-10-0x0000000002EB0000-0x0000000002EBC000-memory.dmp
memory/1316-4-0x000000001BED0000-0x000000001BF20000-memory.dmp
memory/1316-3-0x0000000002DE0000-0x0000000002DFC000-memory.dmp
memory/1316-15-0x000000001BF40000-0x000000001BF4C000-memory.dmp
memory/1316-20-0x000000001C140000-0x000000001C14C000-memory.dmp
memory/1316-19-0x000000001C130000-0x000000001C13C000-memory.dmp
memory/1316-18-0x000000001C120000-0x000000001C128000-memory.dmp
memory/1316-17-0x000000001C110000-0x000000001C11E000-memory.dmp
C:\Program Files\Common Files\backgroundTaskHost.exe
| MD5 | 192f0f1221e376146e725a4d23ee69a0 |
| SHA1 | 9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff |
| SHA256 | 019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d |
| SHA512 | daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54 |
C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe
| MD5 | d38f2b4edf0a2d92da9a09dd70d2cf37 |
| SHA1 | 8bb8d4d545da1c85f4828ddcd67983b6faa4dc26 |
| SHA256 | 2310585595777afba7f5918c1600f0e717da6277d5f2573445be74a890bd4a0c |
| SHA512 | 87e9ade45737b2b75eaa121bdf9f3af459752e8d9787ad27a502d4e80fb6af5e523eaa2ed447a7315bee850f36794cd8329970be25e99e98ec098fab4f1df350 |
memory/1316-16-0x000000001C100000-0x000000001C10A000-memory.dmp
memory/1316-14-0x000000001CA00000-0x000000001CF28000-memory.dmp
C:\Program Files\Common Files\backgroundTaskHost.exe
| MD5 | 6faff46046ba4e35aaac24654382aaf1 |
| SHA1 | 7ab205f4c2cd3dec0955f7283f20cc9ce9b32057 |
| SHA256 | 8320003cdab3fa348c22e15a1da150dad377039f4ab348c7c5fb24a451faf6a3 |
| SHA512 | 06f42a846f51d5bf1efc28bc7304f29cf267f5be3d28bca39d812aced0c9156544fa080a4ad51024849dcac5f423dbcac58ad02fcaeeee83bd0cf760a558e844 |
C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe
| MD5 | 8064fd807b0a95217b4310fa0f86b6b8 |
| SHA1 | 686474ccf2248cad9ff138384929a5815887cada |
| SHA256 | a60ddfcd566a760aa8d5429a13d92a9be4fc7a48243d4ee8b3b8769a7bbab4ef |
| SHA512 | 695bf4e1f3f91997e742172e48dff7bfed870242778c8940effb942e36a93a4f0fe1f228c0fd0a9dd621f1bb69336e1a7af3d560e523b224f1d2f942862d72ac |
memory/1316-182-0x00007FF8ABCC3000-0x00007FF8ABCC5000-memory.dmp
memory/1316-206-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp
C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe
| MD5 | af1ea42c5a939898dec638a3e3bafe89 |
| SHA1 | e1198b426a010c52d5d819d4e3549b7fd9aedf9c |
| SHA256 | 297fa09f43979245eb68d51b056070d866ba499bbdba48002f510929a30d9529 |
| SHA512 | cedcff98f50e4744780d37878d3df5894a03c68c5181a4863184044ce0042f5bdf75f1e24b5cc18a1796e5f4a6e538e4d5185e57f4a21ef6a2b8050c36551d81 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smsen4sv.z3u.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1316-231-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp
memory/5676-241-0x000001F896DF0000-0x000001F896E12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\K09nVBHGsQ.bat
| MD5 | 9de1f780a0d76f5cf665dd3e9b4ee4fb |
| SHA1 | 78f560b23e20723d73e24e75fb30244d40913bcb |
| SHA256 | 4dacf51d0cfe3961fa0cc7cc035d288de7a32a80a3f0fc5eabaa98962e5e7f53 |
| SHA512 | a08b0d35cfc510451432330bd045efd76f1cb02a404d33307389744f837ef2ef33adcf90ff4548269a6c176047bcefedf31116b3d588cb6d4ca4de5950a346c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2044ef36c414ed6e6c991e5fbe7d5bf1 |
| SHA1 | 0dbd4be869af1290a771fa295db969dc14b2a1fc |
| SHA256 | 1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6 |
| SHA512 | 304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aaf0080989fabad865a080216418fbf2 |
| SHA1 | 935075309ff07f95b5c2ff643661fef989526e15 |
| SHA256 | 86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c |
| SHA512 | 21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c8fd95453fe0d2e0f6d8e5ac03994b1 |
| SHA1 | d9811cf9d2b0d0ce3387fd79462cd592b005a634 |
| SHA256 | 232dac927d663f4ed67a4f005da093bc9865c323767c29c3b4a21797f4a60e58 |
| SHA512 | f334216c706e96e85910bc14e7eeec0da3e6f4e9a8620108c938d997266939170aabfdfddd9830f454a34d0db503f8f0bbe63c910007bfd03f294f8a34945810 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c3cddab7d289f65843ac7ee436ff50d |
| SHA1 | 19046a0dc416df364c3be08b72166becf7ed9ca9 |
| SHA256 | c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1 |
| SHA512 | 45c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3fe089fecc1a7897c40a12707d788ca9 |
| SHA1 | 97f8ab9020333729ec191b3dbd044c57227b84fc |
| SHA256 | 70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c |
| SHA512 | 4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6bc26d684f5b18f9220f5487ef7791ec |
| SHA1 | 484f4f11b2143a750753f24c413380c2731f28f2 |
| SHA256 | 9381ad930c4656a680f340a2892781ae12b9eb6eccc1a50a0ca40467cf38f35c |
| SHA512 | 2a69e4c58808c4bac49ccd4abe75b79c07482855940d13937371279771e48d1127dde9471bcc2ea2fdc4e93a8434663e4f42e01a1d7ee4c1eb2803aa57450459 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 82da496008a09abc336bf9adbe6453dd |
| SHA1 | a57df6c2432c6bf7ab549a4333e636f9d9dfebd2 |
| SHA256 | 69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810 |
| SHA512 | 86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ea6fe6004d9717ca991a4a5fd8873443 |
| SHA1 | af50625293a3f23d13dedd6cdb64ccf374ec5c85 |
| SHA256 | 81e411c6b8ba866564687309bb2aa45431e595ce1aba231f6abb1c34169355bd |
| SHA512 | 0214e67ddac786e31f3d2f5665f6c15f1dd87c00d403b38ca77260f04bad8b29402ef40c5219af62af27ae05590ef375d7f6a9eee51ef529fd2ecdc80a63cf34 |
memory/1240-407-0x0000000000CD0000-0x0000000000EBA000-memory.dmp
C:\Windows\INF\csrss.exe
| MD5 | e65c46812829dbd42ad6b83b86264516 |
| SHA1 | 573a8d91f80af72a0fb2f3d1d3703d8d9af2d521 |
| SHA256 | 791aa8ff83acfea81ad9677705472f449fa2603fea30d41786afb8cb46f53fbf |
| SHA512 | d92c4429e8fb676cb633299be2e99705ea0c42a4e51a0a39b820a301acaa207be8fd7ee9864034a6a604a1f55cbb8e1d386fa89aeb343324289b4500966f7803 |
memory/1240-408-0x000000001D6A0000-0x000000001D6B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d13c786d-1d9f-4833-9fef-1ce160009d03.vbs
| MD5 | 598aed3da2b9bdd3052dbd5a96dd9bee |
| SHA1 | 2f5f7aca2e053000f16fc5a599a690c2147cccd6 |
| SHA256 | ed446bc64ca3f525e8051e13939e49bc49bf157e36393e8fa9c3e37ac1986d5a |
| SHA512 | ba2457c986c110d6307252d3e52e41d1d76fbf6fef5d466c90e8a576a574a00e6426500bdb1ae361437b0bfa0bab54fdf93318abf67387b0eb6c4a3d80c0ee7a |
C:\Users\Admin\AppData\Local\Temp\61f43129-4b96-4f47-a1b4-cc23f1c103c5.vbs
| MD5 | 61701634730f703141dd8ac5155425c5 |
| SHA1 | 34569d1849fc5e858b274197baf73eaeee196b63 |
| SHA256 | 0f71765886ac465cda927bb0140766cc36729335b77ffac5d72ed5138606b05a |
| SHA512 | 6b5eb486837ede8f5fcaf070380589e9d41fa7c9beacce5329e532d689da65b13d6fc0c28851aa701970c8dcf923669d6b5277723db4eae0603b5a4ecbe2e5db |
memory/1240-418-0x000000001E260000-0x000000001E362000-memory.dmp
memory/1240-421-0x000000001E260000-0x000000001E362000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
| MD5 | 364147c1feef3565925ea5b4ac701a01 |
| SHA1 | 9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef |
| SHA256 | 38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b |
| SHA512 | bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf |
C:\Users\Admin\AppData\Local\Temp\7338981a-3da8-4f45-96a4-acbb0e64d018.vbs
| MD5 | 5c1222a45892d80248b4f364bc79d694 |
| SHA1 | 72c131a0988d4649d76857bc87a4b0ad384de6c7 |
| SHA256 | 0f054f4c59706be1146af6783217d96c735a9af1d26951b0280d99469fd65f58 |
| SHA512 | 8de7ead3649e6b1ca6384513a80d776a3cc763647b233a8847cb54be221e934153afd8bd519ab2182665c45397b0e9bbdad769a59e6e266cca4e727b487ff5f4 |
C:\Users\Admin\AppData\Local\Temp\b4559ebf-c0b9-4a78-b16f-669dce3f4b5d.vbs
| MD5 | 920ba622e14d10ae01909b718cecaa28 |
| SHA1 | e1cf2550b8d6a6bb8a4595ae0eac75a6f3c6f218 |
| SHA256 | 4b7a7739c921345a3559beacfb1c3a28feba40184efba222be3560678ff6a1d3 |
| SHA512 | 54c1c529b893e272ffbbb714a5dbb297c924b707bf6eb6e1a6e6214cbb6f7dd1e051c013c53f5deeba6b7c9d6b072e2d1623d32a25f995aa847d3223855a7996 |
C:\Users\Admin\AppData\Local\Temp\306970e6-f5bb-4ff6-b5dc-056434e19e15.vbs
| MD5 | 259d7e6d9a37a7dfc6436643d2875afc |
| SHA1 | fe0a1bd28418c179438fd325cdf3b71d48140c1e |
| SHA256 | 377e4e0909e000fe50cee20e46c6075e88736e3beb191560b3a9163a5baf7413 |
| SHA512 | 90ca7d2c5f86dbb1aa66ccf8a49aaa739e0e1b6292d309ca3400f524c9f75e7d71ecd43f9552db2151b6c673c656a55c9cd5c223a588d467c04f37070fb30371 |
Analysis: behavioral14
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win10v2004-20250314-en
Max time kernel
131s
Max time network
164s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Protector.exe" | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe
"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | iznarf.bplaced.net | udp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| DE | 162.55.0.137:80 | iznarf.bplaced.net | tcp |
Files
memory/5220-0-0x00007FFAD6AF5000-0x00007FFAD6AF6000-memory.dmp
memory/5220-1-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-2-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-3-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-4-0x000000001BD70000-0x000000001C23E000-memory.dmp
memory/5220-5-0x000000001C2E0000-0x000000001C37C000-memory.dmp
memory/5220-6-0x000000001C3F0000-0x000000001C452000-memory.dmp
memory/5220-7-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-8-0x0000000000F40000-0x0000000000F48000-memory.dmp
memory/5220-9-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-10-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-13-0x00007FFAD6AF5000-0x00007FFAD6AF6000-memory.dmp
memory/5220-14-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-15-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-16-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
memory/5220-17-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:12
Platform
win10v2004-20250314-en
Max time kernel
146s
Max time network
165s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a9cd1714a3e518cfd51f84f1be819bf.exe" | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4736 set thread context of 4868 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe
"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
| MA | 196.119.34.23:10000 | doddyfire.linkpc.net | tcp |
Files
memory/1172-0-0x0000000074E72000-0x0000000074E73000-memory.dmp
memory/1172-1-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/1172-2-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/1172-7-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/1172-6-0x0000000074E72000-0x0000000074E73000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 04298def7d2ae8acb8ba44e0657381ed |
| SHA1 | 9b15f92468bdf4c49bb27d67b3dd4aa131359517 |
| SHA256 | 728a4e65086186d13d50ecc219d935a23b9737a0419b2fb995634beea8d64cd6 |
| SHA512 | db0778a6e35ed62f7ccf2cd43e9e7da58937bed53e654ce7cc3dc397a800b8d390d626dc038fb7892203499933e52e3ac0d3ec49160e7179a2b02bfa98c1c702 |
memory/1172-20-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/1172-19-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4736-21-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4736-23-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4736-22-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4868-29-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4868-31-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4868-30-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4736-28-0x0000000074E70000-0x0000000075421000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
| MD5 | 0a9b4592cd49c3c21f6767c2dabda92f |
| SHA1 | f534297527ae5ccc0ecb2221ddeb8e58daeb8b74 |
| SHA256 | c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd |
| SHA512 | 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307 |
memory/4868-24-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4868-32-0x0000000074E70000-0x0000000075421000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2025-03-22 06:08
Reported
2025-03-22 06:11
Platform
win7-20240903-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
| N/A | N/A | C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
"C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3808695b-b5ed-4f68-882d-73dc19cc241c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbefcf26-6e9b-4904-be24-4d0495b8aa70.vbs"
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79b3adbd-e901-4b29-8776-4cc37e88e7a5.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71089328-2bda-47a9-8612-45614989461b.vbs"
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09566802-f660-4893-83ea-be245e37ae25.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4151b8f-1c59-48aa-9584-05f1b7e85770.vbs"
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28cbfb2c-1464-4e99-9cdb-06860736bb33.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6c89ac4-f539-42f7-a410-3650adea5ad3.vbs"
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de5dd3f-2d8a-4beb-be72-dde674d9b9da.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\934301f6-9907-49f4-88e9-877d43616079.vbs"
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f951463-7232-4f2c-8c06-2ec049992cb5.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53f81faa-e186-461c-8df0-4c836a024ec6.vbs"
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4909cc9-401e-430a-9951-a19e25d569eb.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f35e3c19-dd68-4a81-839d-98e2fa6c497f.vbs"
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86781a64-29d8-45ef-8da0-9db19ed3b613.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0017d93c-81a3-4f22-83dc-885878a300a4.vbs"
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb91bc8-5e0f-4a22-bc39-e3340b8e8ba7.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7db610c-d9b1-40e9-93ca-83ad555f386e.vbs"
Network
| Country | Destination | Domain | Proto |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
| RU | 62.109.4.67:80 | tcp | |
| RU | 62.109.4.67:80 | 62.109.4.67 | tcp |
Files
memory/2164-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp
memory/2164-1-0x00000000003B0000-0x0000000000552000-memory.dmp
memory/2164-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
memory/2164-3-0x0000000000570000-0x000000000058C000-memory.dmp
memory/2164-7-0x0000000002350000-0x0000000002360000-memory.dmp
memory/2164-10-0x0000000002380000-0x000000000238C000-memory.dmp
memory/2164-16-0x0000000002460000-0x000000000246C000-memory.dmp
memory/2164-15-0x0000000002450000-0x000000000245A000-memory.dmp
memory/2164-14-0x0000000002440000-0x0000000002448000-memory.dmp
memory/2164-13-0x00000000023B0000-0x00000000023B8000-memory.dmp
memory/2164-12-0x00000000023A0000-0x00000000023AE000-memory.dmp
memory/2164-11-0x0000000002390000-0x000000000239A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RCXEC15.tmp
| MD5 | 8b03d1f60bdf0b6465c0623109e7269e |
| SHA1 | 33fb1f09f53ca182e1112ed973fce8fa97e4398f |
| SHA256 | 1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf |
| SHA512 | 8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0 |
memory/2164-9-0x0000000002340000-0x000000000234C000-memory.dmp
memory/2164-8-0x0000000002330000-0x0000000002338000-memory.dmp
memory/2164-6-0x0000000000820000-0x0000000000828000-memory.dmp
memory/2164-5-0x0000000002310000-0x0000000002326000-memory.dmp
memory/2164-4-0x0000000000610000-0x0000000000620000-memory.dmp
C:\Program Files\Google\dllhost.exe
| MD5 | 1b94ffdece2669c380920b6f6fc05787 |
| SHA1 | d2210081a0e734f920f20845338f311ae2ec029d |
| SHA256 | e1603ce7be11ee694f2c479fe54d7a1fdb7f4cd722c96335b52f78bfbe0068bd |
| SHA512 | 0d34160876ad7d88e2cdaecae5ecba9cd6207c5ee824b61ece89e03dcd8d50383f1659b8f4fe48faf7126c983b4fa73c5855d0273dc697568b92ecc899fb4d2c |
C:\Windows\LiveKernelReports\spoolsv.exe
| MD5 | 294e86b19dc9d397ca7bf2a16e52f5e5 |
| SHA1 | 604013d841fb5af5b06e12a11c3c825c962cb43f |
| SHA256 | cbda464b7c254ef90a7c0261642ff50e850b011de75a25806975ca7bff454644 |
| SHA512 | fe50d588f74d06cf8754fcac3dca1e73d8bffb29a9d73852ec1425587ee88b28b7be27b06bdb6a5c4833705678622d95e5b9478cceed21e25f87e878e13acfd4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c181fcabd5d4db82a2965976dc7d0782 |
| SHA1 | bf3ed984433d2309f6274ae46ed53ae774a52555 |
| SHA256 | 6618734d87805a39d74c0ff2780e0222cf8f4149727cd7c0c9f060794da2e7d2 |
| SHA512 | 6e8bb57e9afe80055f7452a5ad0055937e9a9eca0b4ab9ace7036423158566043e19d9a05c8cd752620beb4dcbd4c4735eba6c93acca94e403191fec80d4a827 |
memory/1944-98-0x000000001B680000-0x000000001B962000-memory.dmp
memory/1740-99-0x0000000001D80000-0x0000000001D88000-memory.dmp
memory/1652-105-0x00000000009A0000-0x0000000000B42000-memory.dmp
memory/2164-106-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3808695b-b5ed-4f68-882d-73dc19cc241c.vbs
| MD5 | 598490620ecebfdc865ac897e289fe34 |
| SHA1 | cd3d0c7126bff41b1c28cdc4fdda641497369b09 |
| SHA256 | f8f6edd9accd5e05596d259958388dc90632c91be3cc7a7d33043f68f5fb546e |
| SHA512 | e86d1c7375bf3435d6f8766508cdd2b43577b51ab9e4c00c553ba311040488512022b85109c4dfc1b1cf3cd6314e08cd91aaf9876c235c4fc903ea9f81c6c492 |
C:\Users\Admin\AppData\Local\Temp\cbefcf26-6e9b-4904-be24-4d0495b8aa70.vbs
| MD5 | c433ded079144b90f57050978f3f131c |
| SHA1 | 032818910fd24c86e433290cd985e2285124ed08 |
| SHA256 | c7b455f2f4cd387574b1a5e08ffe6bf841332114ec791cfa95cb202189c6840f |
| SHA512 | 3e0f3cc36eaacb5f460847e0a7f264548f8b4fa2f8219cf43826649cf44cb5ea695477f12e0385cbf59677f2e34184f9a626ace5cdcb4017d73db04ecafe4030 |
memory/1536-117-0x0000000001280000-0x0000000001422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\79b3adbd-e901-4b29-8776-4cc37e88e7a5.vbs
| MD5 | 4fa26e18dd84211a5f425ffc68599744 |
| SHA1 | 2a431d3a4ead0509d04f88864f134a3f45b1c4c5 |
| SHA256 | dd2817a6d0ea657e4f25526c9e02eb0f3a35c65467e437f6e142a41790caa738 |
| SHA512 | dd27362ca5d00d89abae86d635c966ad2b16cb7ce6872463fabfe5a111e3c07590d3e04aebc2e478f76f02c2ffec0275e421e65e9ffc48cd3cf80d3de2998509 |
memory/2608-129-0x0000000001330000-0x00000000014D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\09566802-f660-4893-83ea-be245e37ae25.vbs
| MD5 | b84093cc5f7dfed6bfd0b0530c2fe26a |
| SHA1 | 0e1c988cef300652742b51881bed9df9874a6391 |
| SHA256 | 43b5368733a79694c5beb409f041ae648df92e84d709d2de161b01a1bcc23a9b |
| SHA512 | d7c33af4f60f62acedd6c217c56d1e1258c69b2ed16a11d8a8df56b32f0dbc4ef995762723839e02871fc403092d93730c137be2053b2c7060bb22b9d32709d7 |
memory/1616-141-0x00000000003A0000-0x0000000000542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\28cbfb2c-1464-4e99-9cdb-06860736bb33.vbs
| MD5 | 28a16126ba86c6ff4d4d96d35f5f8dec |
| SHA1 | 33392071c3716e4d5b1b8d281038e5fba5d7b8c9 |
| SHA256 | 4a62a45aeccf7b9c407446fc3af4020621ad0d9e368e1ba904cb58222fa35cc3 |
| SHA512 | 75250d59230401327ae4fd00be8ae5775ceb66fb45a52339428d283c086a22dcc625eef682c7daa7d01c6f19086a164a88af450ec4f7b537e3910a26d808aa9d |
memory/1148-153-0x00000000011F0000-0x0000000001392000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8de5dd3f-2d8a-4beb-be72-dde674d9b9da.vbs
| MD5 | 248fcf85673292ee3b07eb60bb97a5a5 |
| SHA1 | bf4ef537bc7f2174f21f1857ecefa8376a18658f |
| SHA256 | 02390a71b4f65232d7e7693010c19be1e075518768aa9b5328e8d0ae989f0275 |
| SHA512 | 36366c40e7f69076ac0f417d80802684d0117ee6c07ba53f227eae8a3dd8edb71629cd67c69fb32bb211628eb3f67d8b8a754f8777ccbcffad71319192277595 |
C:\Users\Admin\AppData\Local\Temp\1f951463-7232-4f2c-8c06-2ec049992cb5.vbs
| MD5 | 9b600a16f45a6e02253623a25b38ac02 |
| SHA1 | 65e3ea07cde173acdafd011593b7df7140dae109 |
| SHA256 | c835535ab73a752edc1265e9df335378ec4c8d37dddcbf84e8a3104e6bc313c7 |
| SHA512 | 614b7e1524d2c254a92322ac3c296896283ce029aebff96051bc206159139850189e0338149bb6451c7267475fb1f9c666df0781e1c111aee6c97df8264fc2c1 |
memory/872-176-0x0000000001390000-0x0000000001532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d4909cc9-401e-430a-9951-a19e25d569eb.vbs
| MD5 | 02ae326d17895f78243db7ff4c068a5f |
| SHA1 | 5c287cbecd700d63e74afd779e8e40195602b2a3 |
| SHA256 | cece1dcebe6604fb9a2de65cf8284f7649b172d18bce30695e25fbf61d6d884f |
| SHA512 | 0b210a454eebbfd1ea1ffad02f64807d50056730b0620e1213c1092645a89d9f2a986152c833b392135c5496eb7faddcd8edaac05a631263b0d8d525b975f0d2 |
memory/1504-188-0x0000000000060000-0x0000000000202000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\86781a64-29d8-45ef-8da0-9db19ed3b613.vbs
| MD5 | fe952d16010a2c097bd65598f8d9dbdb |
| SHA1 | 79d89eec2b4f1857953d48dd5b195e5e6282cbfe |
| SHA256 | 36a433e227c7356b51ba16dce74fd0e91d2ad229c4774a897364754d737172ef |
| SHA512 | 36ff1705116c4c96eb3030af6e6d54136e0214bafcf6232e25224098e617c4c4d5212ff7b98aa85654ee63fdb83f83013c3869d74184f02a57fe83d0d1f9e879 |
memory/2880-200-0x0000000000CF0000-0x0000000000E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6cb91bc8-5e0f-4a22-bc39-e3340b8e8ba7.vbs
| MD5 | 953b7b79d97b2c4003b30ff34805cfd1 |
| SHA1 | 5ba5e444b4dca72c3195d4e1a53641beca6013b3 |
| SHA256 | 5cb586573c892e50655d46144aec0336898576c67e0eca0e288e28ffb973b475 |
| SHA512 | 8f9680e8c8228898e3880236fba56076e87769dd75981dba227d2a00b844d8e495dbc39334dcf891a3688c82287d63153e1af25a6004f2fcc5cb4c12f906b76a |